Microsoft disrupts malware networks and APT operations

Microsoft’s Digital Crimes Unit struck again, and was allowed to seize 23 free domain names in an effort to strike a fatal blow to malware delivery networks run by a Kuwaiti and an Algerian national.

“In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large,” shared Richard Boscovich, Assistant General Counsel with the unit.

“We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.

“These families can install backdoor trojans on your computer, which allow criminals to steal your information, such as your passwords, and use your computer to collect other sensitive information. For example, Bladabindi can take snapshots and record videos without your permission. It can also control your system remotely,” Tanmay Ganacharya and Francis Tan Seng of the Microsoft Malware Protection Center explained.

“These backdoor trojans can also upload new components or malware to your computer to add more malicious functionality. They often communicate with hosts that are typically a Dynamic DNS service such as No-IP because this makes them more difficult to trace.”

Those two malware families have infected nearly 7.5 million computers in the last 12 months and, according to Microsoft’s research, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections. “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” says Boscovich.

So Microsoft decided to step in and has obtained permission to become the DNS authority for the company’s 23 free domains, known bad traffic to which has been redirected to the Microsoft sinkhole.

According to Kaspersky Lab researchers, this move by Microsoft has also disrupted many other APT operations, which used No-IP for their C&C infrastructure. “Based on our statistics, the shutdown has affected in some form at least 25% of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyberespionage operations are now pointing to what appears to be a Microsoft sinkhole, at 204.95.99.59,” Costin Raiu pointed out.

To say that No-IP is unsatisfied with this development would be an understatement.

“We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives,” stated Natalie Goguen, No-IP’s marketing manager.

“Vitalwerks and No­IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one.”

The company is also unsatisfied with the quality of Microsoft works when it comes to redirecting the good traffic through to users.

“Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.”

Some researchers have pointed out that No-IP has a history of being very responsive when it comes to reacting to reports about malicious domains and killing them.

Malcovery co-founder and chief technologist Gary Warner posits that the problem might be the nature of the two malware families.

“While the security community regular sees and reports on financial crimes malware, such as Zeus, or malware that has significant and widespread distribution, in most cases njRat No-IP domains are being used by small-time botmasters to allow themselves to spy on a few dozen webcams,” he pointed out.

“While njRat certainly has the capability to be used for more significant crimes (…) its primary reputation is as a tool for online perverts. Their typical victims tend to lack the Internet-savvy that allows corporate, industry, and government malware victims to report malware victimization to No-IP to receive a response.”

Don't miss