The Bankwatch

Tracking the consumer evolution of financial services

Microsoft successfully take down alleged malware host ISP no-ip.com

This story reflects the kind of thing that is usually told in urban legend terms, but this one actually happened. Microsoft took on no-ip.com and took down their network. What is especially interesting and precedent setting is that Microsoft obtained a court order to initiate the attack. The order is dated Jun 30th, 2014 for execution today Jul 1st, 2014.

No-ip provides a dynamic IP hosting service that act as described here by Brian Krebs:

Typically, the biggest users of dynamic DNS services are home Internet users who wish to have a domain name that will always point back to their home computer, no matter how many times their ISP changes the numeric Internet address assigned to that computer.

In this case, however, the attackers responsible for leveraging these two malware families — remote-access Trojans known as “njrat” and “njw0rm” — were using no-ip.com’s services to guarantee that PCs infected with this malware would always be able to reach the Internet servers that the attackers were using to control them.

In short, such services are used by criminals to host bot networks. Bot networks are used to manage thousands of personal and corporate PC’s and to have them act as one large computer to spread malware, and mount Distributed Denial of Service Attacks.

No ip

This presents moral and legal dilemmas in these times of government surveillance, malware, and internet security.

  1. Legal Understanding: when Microsoft obtained the court order, did the judge comprehend what he was being asked and what he was approving Microsoft to do?
  2. Private Agents of Law: this sets a precedent of a private corporation taking on and defeating criminals. This was at Microsoft’s own volition, and not as far as we know at the behest of a law agency
  3. Appropriate force: In this case they also defeated apparently legitimate users. In war we have become blazeé about surgical strikes, drone attacks and smart missiles (as we saw last night in Gaza where individual rooms in an apartment block were blown up). The force used was more akin to a nuclear bomb than a laser guided missile attack

Relevance to Bankwatch:

This is strong relevance to banks, where the urban legends of certain large banks taking out hacker networks several years ago did the rounds.

Lets dive a little deeper on this. Here is the court order obtained by Microsoft. You will see the order was granted on the basis that the Defendants Mutairi, Benabdellah, and Does 1-500 were suspected of violating the Anti-Cybersquatting Consumer Protection Act law by facilitating placement of malware on to others computers without their permission. Those people/ entities are referred to as ‘malware defendants’.

msft-noip-tro.pdf

And more specifically the defendants are accused of:

Leasing to Malware Defendants No-IP sub-domains containing Microsoft’s protected marks; and
b. Negligently enabling Malware Defendants to participate in illegal acts, and failing to take sufficiently corrective action to stop and prevent the abuse of its services, all of which harms Microsoft, Microsoft’s customers, and the general public.

The order provides Microsoft authority to:

To immediately, on all authoritative name servers for the .COM, .NET, .ORG, .BIZ, and .INFO top level domains,1 change the Domain Name System authoritative name servers for the No-IP second-level domains, listed in Appendix B, that are associated with the malware sub-domains (“Malware Sub-Domains”), listed in Appendix A, to “ns7.microsoftinternetsafety.net” and “ns8.microsoftinternetsafety.net,” and remove all other authoritative name servers for the domains listed in Appendix B. The Registry Operators shall reasonably cooperate with Microsoft to implement this order through one or more of the foregoing changes, as may be necessary to effectuate the terms of this order;

In short Microsoft have authority to get control of domains that purport to represent Microsoft (by containing Microsofts name). The final order is the one that fascinates me:

IT IS FURTHER ORDERED that the authoritative name server set up and managed by Microsoft to respond to requests for the IP addresses of the sub-domains of No-IP may respond to requests for the IP address of any domain listed in Appendix B or later determined to be associated with malware activity either by (1) giving no reply; or (2) replying with the address of a special Microsoft “sink-hole” computer, which, when contacted, shall log the date and time of the request, the IP address and related information from the requesting computer but otherwise not respond to the
request.

Sink hole? I had to look that up:

A sinkhole is a standard DNS server that has been configured to hand out non-routeable addresses for all domains in the sinkhole, so that every computer that uses it will fail to get access to the real website.

In other words any attempt to access links routed to the sink-hole will go no-where. This probably explains the fact that 4 million users were impacted, and to me rather than over powering force suggests that the criminal activity at no-ip was in fact wider and broader than even Microsoft knew.

Back to the three dilemmas:

1. The order is very carefully and clearly worded despite use of terminology, so I believe the Judge knew exactly what he was approving. More power to the Microsoft lawyers and engineers for getting making that milestone.

2. This is a non issue. Microsoft were provided authority to claim that which they have every right; their name.

3. Appropriate force is also a non issue. There may be legitimate uses for free dynamic IP hosting however unequivocally one use is for criminal use in managing botnets. Despite any legal arguments to the contrary, what these people were doing was facilitating crime, and Microsoft found a way to legally stop them. Meantime, as a regular user I ask: would you locate your web site with these people? The force was appropriate and probably uncovered more illegal activity than expected.

Go Microsft and I would like to see the computing and brain power of Google, FaceBook and Yahoo get into this game as strongly as Microsoft. Going back to my first dilemma, the legal system cannot do this by itself. Similarly NSA, GCHQ, ASD,CSEC,GCSB (The Five Eyes) perhaps could but their hands have been tied by Snowden leaks.

It is too technical and fast evolving, and requires engineers on the edge of this world who understand it.

Written by Colin Henderson

July 1, 2014 at 12:20

Posted in Uncategorized

2 Responses

Subscribe to comments with RSS.

  1. Technology professionals us No-IP services to facilitate the clean transfer of domains and other services for clients. It is extremely useful for large migrations especially recently with large migrations to cloud services. It allows for instantaneous domain control.

    For some clients we leave services running with no ip. I have hundreds of clients relying on these services function properly. Often its for access to VPN’s or mobile users.

    There may be some criminals using no-ip… but there are likely far far more using microsoft products and services.

    This was a huge mistake on Microsofts part. Unless of course they have another agenda.

    Lz

    July 2, 2014 at 04:48

  2. I think you need to look at what has happened a little closer. No-Ip is a legitimate company with millions of legitimate users. My guess is that the people at Microsoft instigating this are probably new in technology or law and do not fully comprehend what they have done.

    Going after criminals is excellent. .. No-Ip is a legitimate company and was one of the first to provide dynamic DNS services.

    This outage is costing my clients, legitimate large businesses, a small fortune. There are millions of users sitting at their desks today without email or access to business systems.

    This seizure was wrong and misguided.

    Lz

    July 2, 2014 at 04:56


Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 245 other followers

%d bloggers like this: