Less than a week after Microsoft seized nearly two dozen domains owned by a small hosting provider as part of a takedown of a malware operation, all of those domains are back in the control of the provider, No-IP.
When Microsoft announced the takedown on June 30, officials said that the company had gotten a temporary restraining order from a judge in Nevada allowing it to take over 23 domains owned by a company called Vitalwerks, which operates No-IP.com and No-IP.org. The hosting provider also runs a free dynamic DNS service, which Microsoft claimed was abused, along with the hosting services, by cybercriminals involved in the operation of the Bladabindi and Jenxcus malware families.
Officials at Vitalwerks denied that the company knowingly allowed attackers to use the company’s infrastructure and services, and said that Microsoft hadn’t even contacted the company before the seizure. They also said that the domain seizure affected many of the company’s other customers, and a couple of days after the initial takedown Microsoft admitted that a “technical error” had led to that problem, but it had been resolved. But as of the end of last week, Vitalwerks officials said that their customers still were experiencing outages.
But now, all of the seized domains have been returned to the control of Vitalwerks, a remarkable shift in circumstances.
“We would like to give you an update and announce that ALL of the 23 domains that were seized by Microsoft on June 30 are now back in our control. Please realize that it may take up to 24 hours for the DNS to fully propagate, but everything should be fully functioning within the next day. One of the domains, noip.me, took longer to get back online, but it should be fully restored within the next day,” the company said in a statement.
Microsoft for the past several years been executing these kinds of takedowns, often focusing on botnets and large scale malware operations, and one component of many of them has been the seizure of various domains used for command and control or infections. Those kinds of seizures have been a controversial tactic for a long time in the security community, but Microsoft officials, through the company’s Digital Crimes Unit, have made them commonplace. This latest takedown operation, however, raised many eyebrows among security researchers, some of whom questioned why Microsoft is being permitted to take control of other companies’ property.
“Domain seizure is a very common strategy, which is however getting out of control. The wild use of domain sinkholing has been a controversial discussion for a long time, the fact that we’re seeing corporations like Microsoft seizing assets belonging to legitimate companies made many peers in our community drop their jaws,” said Claudio Guarnieri, an independent security researcher who has worked on many anti-botnet projects.
Microsoft officials said they were still working with Vitalwerks on identifying specific malicious subdomains.
“We are pleased at the progress we’ve made in our discussions with No-IP. They have regained control of their domains, and we are reviewing the malicious subdomains to identify the victims of the malware,” David Finn, executive director and associate general counsel, Digital Crimes Unit at Microsoft, said in a statement.