Microsoft takes down malware pushing domain – affects legitimate sites

Recently, Microsoft seized 22 domain names from No-IP.com the company was aiming to put mostly [malware] criminals out of business; the domains were allegedly being used to conduct attacks against Windows users. Microsoft obtained a court order allowing it to seize control of the targeted domains. However, while some subdomains were allegedly being used in the attacks, the takedown also affected other servers that were used for legitimate reasons.

Some are questioning how Microsoft could request and get court approval to do this. As well, according to No-IP, Microsoft failed to notify them to take down the malicious domains.

Unsure if Microsoft has responded to the allegations that they never warned No-IP. But, I am sure No-IP were warned by others that they are hosting malware and did nothing about it [or didn’t push hard enough].

Microsoft did take things in their own hands. But No-IP should of known that it could happen to them, if not by Microsoft pressure then by some other company.

As for Microsoft pushing their muscle, I don’t think it was Microsoft’s job to verify the facts. It was the court who are responsible to make the final decision. Whether or not the court [before the approved take down] asked Microsoft if it would affect legitimate sites is a question that needed answered. This is like asking for a warrant to arrest a suspect. The judge reviews the evidence given and may request further information or not. [I’m assuming the court who gave the approval to Microsoft knows a bit about technology.]

I think it is also time that registrars should be partially responsible for what goes on with sites they have registered. Too many of them will register a site without caring. Why else would someone register the domains [if they still exist – don’t check!]: adobe-downloads.com, windowsenterprisedefender.com, and microsoftantispyware.net.

In the end, I’d be safe than sorry. Take down the domain. Those with legitimate sites can go after No-IP for knowing they are hosting suspicious web sites which could affect their site’s operation. [Of course I’m not a lawyer.]

[Update 2014/07/04:] Microsoft has since apologized to those legitimate sites that were affected for the “technical error”. Note that it took the court about a week to grant Microsoft’s request for the takeover. I am still thinking that the judge involved didn’t do his/her homework and see if it would affect others.

But according to reports, to did do some damage to the Syrian Electronic Army as well. According to Kaspersky Labs, the takedown impacted a quarter of the “advanced persistent threat” actors it’s been tracking.

The malware in this case was Bladabindi (NJrat) and Jenxcus (NJw0rm), which together predominantly used No-IP to generate over seven million infections in the past year.

Vitalwerks, which runs No-IP, said it now has 18 of 23 domains commandeered by Microsoft on Monday using a restraining order granted by the state’s federal court. I will assume these house the more legitimate sites.

Meanwhile, at one point No-IP that said it was under DDoS (distributed denial-of-service) attack but it did not affect its DNS infrastructure.

Warning about the DNSChanger malware – July 9th deadline

Google is warning users whose computers are infected with the DNSChanger malware when they use its search engine. Users whose computers are found to be infected are provided a link to directions for removing the malware from their computers.

DNSChanger initially redirected users to sites with advertisements the attackers wanted them to view. Authorities [with the help of Microsoft and some other companies] seized the malicious servers and replaced them with their own, which redirect users to the proper sites, but the court order allowing them to operate those servers expires on July 9, 2012; any infected computers will not be able to reach the Internet after the servers cease to be active.

You can check by going to http://www.dns-ok.ca/  which is a website created by the main domain registrar for Canada. You should also run the same test prior to July 9th.

For your reference (for a very basic definition):  A DNS server is a server that resides on the Internet. Your Internet provider as well as independent companies or organizations will have them. The DNS server translates your request for a web site in your browser [i.e. www.wordpress.com] into an Internet Protocol [IP] address or in reverse. Think of an IP address as a street address. Each street address has to be unique. While your information requests jumps around from location to location seeking the destination, only the IP address is used.

Now if someone is hijacking the DNS server [via DNSChanger] that you are using [using malware], you would notice incorrect web sites requested, anti-virus disabled, pop-up windows and other issues.