Threat Management, Malware

Microsoft seizes No-IP domains in effort to stop malware infections


Microsoft has seized several domains registered through free dynamic DNS provider – a move the tech giant said will stop the spread of remote access trojans impacting millions of users.

On Monday, Richard Boscovich, assistant general counsel for Microsoft Digital Crimes Unit, announced the action via the company's official blog, just days after a federal court in Nevada made Microsoft the DNS authority for 23 free No-IP domains.

Microsoft said that the abused domains in question were behind the majority of njRAT and njw0rm infections. Among dynamic DNS providers, No-IP domains were used 93 percent of the time to spread the remote access trojans (RATs), Boscovich wrote.

Free dynamic DNS providers are thought to be an attractive avenue for cyber criminals since they give attackers a quick way to set up subdomains and easily change DNS records that may be linked with malicious activity.

“Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the internet's address book, and is a vital part of the internet,” Boscovich's post said. “However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we've been involved, this action has the potential to be the largest in terms of infection cleanup.”

Over the past year alone, Microsoft detected 7.4 million njRAT and njw0rm infections. The company believes that the cyber criminals behind its spread were located in Kuwait and Algeria.

With its action, Microsoft alleges that No-IP failed to take adequate steps to prevent the abuse of its domains.

“Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” Boscovich wrote.

Soon after Microsoft seized the domains, criticism over the move surfaced, with many, including No-IP itself, calling the move brash.

In a company statement, No-IP said that the move affected “millions of innocent users” who experienced service outages in the midst of Microsoft's “attempt to remediate hostnames associated with a few bad actors.”

The statement also said that Microsoft failed to contact No-IP, or ask it to block any of its subdomains.

“Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyberscammers, spammers, and malware distributors. But this heavy handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly,” No-IP's statement said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.