Microsoft Settles With No-IP Over Malware Takedown

It’s been a weird couple of weeks for Microsoft. On June 30 the company announced its latest malware takedown operation, which included a civil law suit against Vitalwerks, a small Nevada hosting provider, and the seizure of nearly two dozen domains the company owned. Now, 10 days later, Microsoft has not only returned all of the seized domains but also has reached a settlement with Vitalwerks that resolves the legal action.

From the beginning, the takedown operation involving the Bladabindi and Jenxcus malware families had some indications that things were a little odd. Immediately following Microsoft’s announcement of the takedown, officials at Vitalwerks, which provides hosting as well as a free dynamic DNS service, said that they were surprised by the domain seizure and hadn’t had any communication with Microsoft at all prior to the action. They also said that many of the company’s customers were complaining that their legitimate domains were offline, a result of the takedown operation. Microsoft later said that a small technical error had caused the outage.

Some in the security research community criticized Microsoft harshly for what they saw as heavy handed tactics. Within a few days of the initial takedown and domain seizure Microsoft returned all of the domains to Vitalwerks, which does business as On Wednesday, the software giant and the hosting provider released a joint statement saying that they had reached a settlement on the legal action.

“Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware.  Those spreading the malware abused Vitalwerks’ services,” the companies said in a joint statement.

“Microsoft identified malware that had escaped Vitalwerks’ detection.  Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware.  The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware.”

Vitalwerks officials said that as a result of the takedown, more than 5 million hostnames and 1.8 million sites owned by its customers went dark.

Vitalwerks officials said that as a result of the takedown, more than 5 million hostnames and 1.8 million sites owned by its customers went dark. The basis of the takedown action was that cybercriminals were abusing No-IP’s services to run their malware operations, and Microsoft, in its supporting documents to get a temporary restraining order to take over the domains, said it would only sinkhole traffic associated with the malicious domains.

But that’s not how things turned out.

“By filing an ex parte temporary restraining order (TRO), No-IP was prevented from having any knowledge of the case or offering any support in stopping malicious activity. Had Microsoft submitted evidence of abuse at any time, No-IP would have taken swift action to validate the claims and ban any accounts that were proven to be malicious. Instead, Microsoft wasted many months while malicious activity continued,” Natalie Goguen of No-IP said in a post.

“To state this as emphatically as possible — this entire situation could have been avoided if only Microsoft had followed industry standards. A quick email or call to the No-IP abuse team would have removed the abusive hostnames from the No-IP network.”

No-IP officials said that while Microsoft eventually returned all of the seized domains and helped fix the DNS issues its customers faced, none of that should have happened to begin with.

“While we are extremely pleased with the settlement terms, we are outraged by Microsoft’s tactics and that we were not able to completely and immediately restore services to the majority of our valuable customers that had been affected.,” Goguen said.

Suggested articles


  • Charles on

    Stop hosting malware. That never should have happened. Your sites screwed up countless windows devices, you should go to jail. You enabled it. You are to blame. Take responsibility for your actions.
    • Anon on

      @Charles - They didn't host *any* malware, No-IP provide DNS services, both paid and unpaid. Microsoft's actions took down a legitimate business for a number of days, impacting *millions* of clients. Yes, millions, not an exaggeration either. If you want to complain about Malware, Windows is more of a source for that than any other software on the planet. If Microsoft wrote software correctly, there would be a lot less malware. Microsoft OS's are cruft on top of cruft on top of more cruft. Almost zero design thought went into security of any MS OS, with the exception of NT1.0 Don't be a lemming. Read, learn, and understand what happened, and don't make glib comments.
  • Anonymous on

    Microsoft does not care about those people who suffered loss of service. They wanted to sinkhole those domains for a certain purpose and that's why they didn't seek to contact the no-ip abuse team. M$ hypocrites.
  • Jo on

    It's not no-ip's problem. no-ip doesn't produce Microsoft Windows. It can't fix the bugs in Microsoft Windows. If your infected and it wasn't the result of a whole then it's your own fault. You took some action and it's not no-ip's responsibility to help fix it. Take some responsibility for your own idiot actions and stop blaming people who weren't even opposed to helping (even though they didn't have to). If Microsoft wants no-ip's cooperation they should have to pay significantly for it.
  • Anonymous on

    Charles, you are right, the Microsoft execs should go to jail for building such crappy products. Glad we agree noip was innocent and did no wrong.
  • Go on

    So now where is the Microsoft settlement for the individuals and companies screwed over by disabling the services No-IP was providing them? Still sounds like we need a class action suit to make sure to send the message to Microsoft that what they did was completely unacceptable.
  • Geek on

    It seems Amazon is the largest sender of Malware in the united states and the world. Tripling in the past 6 Months. Maybe Microsoft should take the Amazon AWS E2 service down.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.