In the course of its actions to take down a major malware operation, Microsoft seized more than 20 domains from No-IP.com, a hosting provider in Nevada. Microsoft now admits that the company made a technical mistake as part of that takedown, an errors that resulted in legitimate No-IP.com customers losing service.
The Microsoft takedown of the infrastructure used in the operation of the Bladabindi and Jenxcus malware families is the latest in a series of such actions that the software giant has taken against botnet operators, malware gangs and other cybercime operations. The company’s Digital Crimes Unit, a composite of lawyers, security researchers and investigators, spearheads these efforts, working with law enforcement agencies in the United States and around the world to identify and disrupt cybercrime operations and operators. The company has been involved in takedowns of several botnets, including Kelihos. Citadel and others.
But Microsoft’s involvement in these operations has not been without controversy. Security researchers have questioned why the company is taking it upon itself to seek legal authorities to seize domains, servers and other assets. This latest takedown, announced Monday, raised many of those same questions, with researchers and officials at No-IP.com criticizing Microsoft’s actions and saying the company had overstepped its bounds.
“Domain seizure is a very common strategy, which is however getting out of control. The wild use of domain sinkholing has been a controversial discussion for a long time, the fact that we’re seeing corporations like Microsoft seizing assets belonging to legitimate companies made many peers in our community drop their jaws,” said Claudio Guarnieri, a botnet researcher.
Officials at No-IP.com said that Microsoft had never contacted them prior to the takedown operation and denied that the company was involved in providing cover for any cybercrime operations. Now, Microsoft officials say that the company made a technical error that caused disruptions for the legitimate customers of No-IP.
“Yesterday morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an Internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6 a.m. Pacific time today, all service was restored. We regret any inconvenience these customers experienced,” David Finn, executive director and associate general counsel, Digital Crimes Unit at Microsoft, said in a statement Tuesday.
On Monday, officials at No-IP said that they had talked to Microsoft and were trying to resolve the domain issues.
“We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening,” the company said in a statement.
On Tuesday, No-IP said some of its customers were still having problems.
“We apologize for this outage. At this point it is completely out of our hands, but please understand that we are fighting for you,” the company said.
Image via marcelograciolli‘s Flickr photostream, Creative Commons