Microsoft’s latest takedown of a malware operation, announced Monday and involving the infrastructure of several malware families, has, like many of the company’s actions, elicited strong opinions on both sides of the issue from security researchers, activists and others with a stake in the game. This takedown didn’t involve simply hitting the C2 infrastructure of a botnet, but also includes legal action against a hosting company, No-IP.com, which has called out Microsoft for its tactics and raised a lot of questions in the security community, as well.
One of the main methods that Microsoft uses in these takedowns is the acquisition of a temporary restraining order, a legal authority that gives the company the ability to seize domains and sinkhole domains used in malicious operations to reroute traffic to domains Microsoft controls. Sinkholes are a time-tested and accepted method for disrupting the operation of botnets and other malware enterprises and are used in a variety of ways. Researchers often will work with hosting providers to reroute traffic from malicious domains to ones controlled by the researchers or by law enforcement, helping to cut off the lifeline of the operations. The takedown of the infrastructure used by the Bladabindi and Jenxcus malware families provides an interesting view into how various involved parties handle this issue.
“We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. In the past, we’ve predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals,” Richard Boscovich Domingues, assistant general counsel in the Microsoft Digital Crimes Unit, wrote in a blog post.
“Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.”
Research from Kaspersky Lab supports the assertions by Microsoft about the abuse of No-IP domains by cybercriminals. The company found that not only were No-IP domains begin used for C2 for the Bladabindi and Jenxcus malware families, but the takedown had a massive effect on the function of many APT operations
“Based on our statistics, the shutdown has affected in some form at least 25% of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyberespionage operations are now pointing to what appears to be a Microsoft sinkhole, at 18.104.22.168,” Costin Raiu, head of the Global Research and Analysis Team at Kaspersky, wrote in a post on Tuesday.
But the use of sinkholing is not without controversy. The tactic sometimes can have a ripple effect well beyond the intended disruption of a target botnet or malware operation, and some hosting providers don’t take kindly to outside companies messing with their businesses. And even those in the research community who spend their days working to hamstring botnets are not of one mind on the topic. Some researchers worry about the potential for the abuse of power in these cases, and are concerned that the tactic may disrupt legitimate businesses in the process of taking down attack infrastructures.
“Domain seizure is a very common strategy, which is however getting out of control. The wild use of domain sinkholing has been a controversial discussion for a long time, the fact that we’re seeing corporations like Microsoft seizing assets belonging to legitimate companies made many peers in our community drop their jaws,” said Claudio Guarnieri, a well-known botnet researcher.
No-IP is a relatively small hosting provider, but it was known to researchers before the takedown. But Guarnieri said Microsoft should have used other means to handle the situation.
“Any other way would have been a better one. Microsoft is building legal precedents to be able to indiscriminately police the Internet at their own discretion. It is absolutely intolerable that Microsoft feels entitled to “take to task” another company and seize its assets, apparently without having explored all possible avenues as No-IP’s statement indicates. Microsoft’s DCU has been disrespectful and uncooperative in many of its recent operations and I’m sure the community will start protesting and refusing to work with them in the future,” he said.
“Whether No-IP was or was not cooperative is irrelevant (still consider that it’s a very small organization), the fact that Microsoft decided “school” them and severely damage their business because they didn’t live up to Microsoft’s own standards is ludicrous.”
Meanwhile, officials at No-IP said that not only does the company not support the operations of cybercriminals, but that it has worked with Microsoft in the past and the company didn’t contact No-IP in this case.
“We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives,” the company said in a statement.
“We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.”
Microsoft has used similar tactics in many previous malware and botnet takedowns, and its Digital Crimes Unit has taken an aggressive stance on combating cybercrime operations. The company also recently unveiled a flashy new dedicated cybercrime center on its Redmond campus, a nerve center for monitoring malware operations and conducting offensive campaigns.