It’s been a weird couple of weeks for Microsoft. On June 30 the company announced its latest malware takedown operation, which included a civil law suit against Vitalwerks, a small Nevada hosting provider, and the seizure of nearly two dozen domains the company owned. Now, 10 days later, Microsoft has not only returned all of the seized domains but also has reached a settlement with Vitalwerks that resolves the legal action.
From the beginning, the takedown operation involving the Bladabindi and Jenxcus malware families had some indications that things were a little odd. Immediately following Microsoft’s announcement of the takedown, officials at Vitalwerks, which provides hosting as well as a free dynamic DNS service, said that they were surprised by the domain seizure and hadn’t had any communication with Microsoft at all prior to the action. They also said that many of the company’s customers were complaining that their legitimate domains were offline, a result of the takedown operation. Microsoft later said that a small technical error had caused the outage.
Some in the security research community criticized Microsoft harshly for what they saw as heavy handed tactics. Within a few days of the initial takedown and domain seizure Microsoft returned all of the domains to Vitalwerks, which does business as No-IP.com. On Wednesday, the software giant and the hosting provider released a joint statement saying that they had reached a settlement on the legal action.
“Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware. Those spreading the malware abused Vitalwerks’ services,” the companies said in a joint statement.
“Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware.”
Vitalwerks officials said that as a result of the takedown, more than 5 million hostnames and 1.8 million sites owned by its customers went dark. The basis of the takedown action was that cybercriminals were abusing No-IP’s services to run their malware operations, and Microsoft, in its supporting documents to get a temporary restraining order to take over the domains, said it would only sinkhole traffic associated with the malicious domains.
But that’s not how things turned out.
“By filing an ex parte temporary restraining order (TRO), No-IP was prevented from having any knowledge of the case or offering any support in stopping malicious activity. Had Microsoft submitted evidence of abuse at any time, No-IP would have taken swift action to validate the claims and ban any accounts that were proven to be malicious. Instead, Microsoft wasted many months while malicious activity continued,” Natalie Goguen of No-IP said in a post.
“To state this as emphatically as possible — this entire situation could have been avoided if only Microsoft had followed industry standards. A quick email or call to the No-IP abuse team would have removed the abusive hostnames from the No-IP network.”
No-IP officials said that while Microsoft eventually returned all of the seized domains and helped fix the DNS issues its customers faced, none of that should have happened to begin with.
“While we are extremely pleased with the settlement terms, we are outraged by Microsoft’s tactics and that we were not able to completely and immediately restore services to the majority of our valuable customers that had been affected.,” Goguen said.