Microsoft has named two Kuwaiti and Algerian nationals in a civil case for their involvement in creating, controlling and assisting in infecting millions of computers with malicious software.
According to a blogby Richard Domingues Boscovich, assistant general counsel at the Microsoft Digital Crimes Unit, their actions harmed “Microsoft, its customers and the public at large”. He said that Mohamed Benabdellah amd Naser Al Mutairi, as well as the US company Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), were responsible for infecting users with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.
He said: “The social media-savvy cyber criminals promoted their wares across the internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes—demonstrating that cyber crime is indeed a global epidemic.
“Of the ten global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 per cent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains.”
While Boscovich said that despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, reme
dy, prevent or control the abuse or help keep its domains safe from malicious activity. There have also been more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months.
According toReuters, the malware has slick dashboards with point-and-click menus to execute functions such as viewing a computer screen in real time, recording keystrokes, stealing passwords and listening to conversations. The malware was purchased by at least 500 customers, who are identified in the court documents as John Does 1 to 500. Boscovich said the developers marketed their malware over social media, including videos on Google Inc’s YouTube and a Facebook page, as well as instructional videos with techniques for infecting PCs that were posted online.
The civil action alleges that the malware was distributed through more than 18,000 sub-domains belonging to No-IP, and Microsoft filed an ex parte temporary restraining order from the US District Court for Nevada against No-IP on Thursday 19th June. This was granted on June 26th and Microsoft became the DNS authority for the company’s 23 free No-IP domains, allowing it to snkhole all known bad traffic to Microsoft and classify the identified threats.
Boscovich said: “As malware authors continue to pollute the internet, domain owners must act responsibly by monitoring for and defending against cyber crime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cyber criminals to operate anonymously and harder to victimise people online.”
In a response, No-IP said it was “very surprised by this” as it has a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us.
“Unfortunately, Microsoft never contacted us or asked
us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives,” it said.
“We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad host names in each seized domain, while continuing to allow the good host names to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.”
Calling the action by Microsoft “heavy-handed” and “draconian”, it said that had Microsoft contacted them, it could and would have taken immediate action. “Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent internet users.”