Microsoft takes down malware pushing domain – affects legitimate sites
July 4, 2014 Leave a comment
Recently, Microsoft seized 22 domain names from No-IP.com the company was aiming to put mostly [malware] criminals out of business; the domains were allegedly being used to conduct attacks against Windows users. Microsoft obtained a court order allowing it to seize control of the targeted domains. However, while some subdomains were allegedly being used in the attacks, the takedown also affected other servers that were used for legitimate reasons.
Some are questioning how Microsoft could request and get court approval to do this. As well, according to No-IP, Microsoft failed to notify them to take down the malicious domains.
Unsure if Microsoft has responded to the allegations that they never warned No-IP. But, I am sure No-IP were warned by others that they are hosting malware and did nothing about it [or didn’t push hard enough].
Microsoft did take things in their own hands. But No-IP should of known that it could happen to them, if not by Microsoft pressure then by some other company.
As for Microsoft pushing their muscle, I don’t think it was Microsoft’s job to verify the facts. It was the court who are responsible to make the final decision. Whether or not the court [before the approved take down] asked Microsoft if it would affect legitimate sites is a question that needed answered. This is like asking for a warrant to arrest a suspect. The judge reviews the evidence given and may request further information or not. [I’m assuming the court who gave the approval to Microsoft knows a bit about technology.]
I think it is also time that registrars should be partially responsible for what goes on with sites they have registered. Too many of them will register a site without caring. Why else would someone register the domains [if they still exist – don’t check!]: adobe-downloads.com, windowsenterprisedefender.com, and microsoftantispyware.net.
In the end, I’d be safe than sorry. Take down the domain. Those with legitimate sites can go after No-IP for knowing they are hosting suspicious web sites which could affect their site’s operation. [Of course I’m not a lawyer.]
[Update 2014/07/04:] Microsoft has since apologized to those legitimate sites that were affected for the “technical error”. Note that it took the court about a week to grant Microsoft’s request for the takeover. I am still thinking that the judge involved didn’t do his/her homework and see if it would affect others.
But according to reports, to did do some damage to the Syrian Electronic Army as well. According to Kaspersky Labs, the takedown impacted a quarter of the “advanced persistent threat” actors it’s been tracking.
The malware in this case was Bladabindi (NJrat) and Jenxcus (NJw0rm), which together predominantly used No-IP to generate over seven million infections in the past year.
Vitalwerks, which runs No-IP, said it now has 18 of 23 domains commandeered by Microsoft on Monday using a restraining order granted by the state’s federal court. I will assume these house the more legitimate sites.
Meanwhile, at one point No-IP that said it was under DDoS (distributed denial-of-service) attack but it did not affect its DNS infrastructure.