Critics blast Microsoft's takedown of No-IP domains

Microsoft contends it seized domains to stop distribution of two widely used malware tools

Microsoft's tactics in using a court order to seize nearly two-dozen domains it said were used to distribute Windows malware tools were called ham-handed by several critics.

No-IP, a Reno, Nev. provider of dynamic domain name services, said Microsoft's sudden takedown of its domains was initiated without prior warning and disrupted Internet service for innocent customers.

In a blog post Monday, No-IP accused Microsoft of causing widespread problems for its customers. "Millions of innocent users are experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors," the company claimed.

David Finn, executive director and associate general counsel of Microsoft's Digital Crimes Unit, defended the company's actions but acknowledged that the move affected innocent users.

"Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service," Finn said in an email on Tuesday. However, Microsoft has since restored all service, he said. "We regret any inconvenience these customers experienced."

A Microsoft spokeswoman declined further comment.

No-IP said it would have taken immediate action to address any problems with its domains had Microsoft given it notice.

Brian Honan, an independent security consultant with BH Consulting in Dublin, Ireland, questioned Microsoft's tactics in going after however justified its motives were. "Does this action mean that Microsoft has now appointed itself as the Internet Sheriff who will now clean up the place?" Honan asked.

Honan said Microsoft didn't provide a chance to defend itself in court, and thereby prevent its services from being impacted. Microsoft has set a precedent, which other companies could use "to impact legitimate service providers who they feel are not living up to an undetermined standard for responding to abuse requests," Honan said.

Microsoft in mid-June filed a complaint against in a Nevada federal court contending that No-IP's dynamic domain name services were being used to distribute two botnet software tools, Bladabindi and Jenxcus, and facilitate the distribution of more than 200 other malware products.

In the suit, Microsoft accused No-IP of providing the Kuwait and Algeria-based creators of Bladabindi and Jenxcus an infrastructure for distributing the tools to millions of Windows systems around the world. Microsoft claimed that hundreds of bad actors had downloaded the malware tools from No-IP's domains and infected computers with it.

Microsoft said that according to its research, No-IP domains were used 93% of the time for infecting computers with Bladabini and Jenxcus malware tools. Though No-IP should have known its domains were being used extensively for malicious purposes, it did nothing about it, Microsoft charged.

"Defendant has a contractual obligation to take reasonable and prompt steps to investigate and respond to reports of Internet or computer abuse," but failed to live up to them, Microsoft said in its complaint.

On June 30, the federal court issued an order making Microsoft the Domain Name System authority for 23 No-IP domains. That order let the company reroute all traffic bound for those domains to a Microsoft server instead. Requests for the IP address of any No-IP domain linked with malware activity would be directed to a Microsoft "sinkhole" system to record the date and time of the request as well as the IP address of the requesting computer.

In a blog post, Microsoft assistant general counsel Richard Boscivich, said the No-IP takedown has the potential of becoming one of its largest ever in terms of infection cleanup. "We're taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi and Jenxcus family of malware," he said.

Some security experts, however, questioned the company's tactics.

Johannes Ullrich, dean of research for the SANS Technology Institute, said Microsoft should have more strongly considered the potential for collateral damage. "This is similar to demolishing an entire block just because some houses are used to deal drugs," Ullrich said.

"While Microsoft has a legitimate claim against No-IP to protect its own interests, it should consider that its actions may cause harm to other legitimate businesses," he said.

As a larger problem, what is needed is a clear understanding of how fast and under what conditions "abuse" requests need to be handled by Internet service providers like No-IP, he said. "It is not clear if Microsoft worked with No-IP or not," he noted.

Even if No-IP was unresponsive, Microsoft should have given the company more warning, and then ensured that impact to legitimate services was minimized by transitioning gradually or by being more selective in its interception, he said.

"What gave Microsoft the right to decide that No-IPs abuse management processes were not operating as expected and indeed against what norms was Microsoft measuring No-IPs capabilities against?" he asked.

Microsoft may also have infringed on the privacy rights of legitimate No-IP customers by having their Internet traffic routed through its servers, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about legal in Computerworld's Legal Topic Center.

Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon