Sorry, chaps! We didn't mean to steamroller legit No-IP users – Microsoft
Meanwhile, miscreants are DDoSing the hapless DNS provider
Updated Microsoft has admitted that it did disrupt a significant number of legitimate users of No-IP's dynamic DNS service, but says the problem is now sorted out.
"Yesterday morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners' knowledge through the abuse of No-IP, an Internet solutions service," David Finn, associate general counsel of Redmond's Digital Crimes Unit, told The Reg in a statement.
"Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6am Pacific time today, all service was restored. We regret any inconvenience these customers experienced."
The problems occurred after Microsoft was granted a temporary restraining order against No-IP by a Nevada judge that transferred 22 domains to Redmond. The injunction was granted because the Microsoft security team showed evidence that malware writers were using No-IP's services to sell and control nearly 250 types of malware, and in particular the Windows-targeted trojans Bladabindi and Jenxcus.
Under the terms of the court decision, the DNS lookups for the domains were passed to Microsoft's name servers, with the plan being that Redmond would filter out No-IP subdomains linked to malicious activity and let legitimate subdomains resolve as expected. Sadly, this didn’t work and No-IP estimated four million customers were left without service.
Microsoft's takeover of No-IP's domains may have pissed off the DNS firm's customers, but the security industry has rallied around the move. Kaspersky Lab expert Costin Raiu said the power grab has crippled command-and-control systems for many malware operators.
"Based on our statistics, the shutdown has affected in some form at least 25 per cent of the APT groups we are tracking," he said. "Some of these hosts that were previously used in large and sophisticated cyberespionage operations are now pointing to what appears to be a Microsoft sinkhole, at 220.127.116.11."
As for No-IP; well, the week just got a whole lot worse. Today it was hit by a major distributed denial-of-service attack that crippled the company's website temporarily, and is causing its engineering team some major headaches. ®
Updated to add
No-IP has beaten off the DDoS attack, but the company is disputing Microsoft's claim that everything is fine and dandy for its customers.
"Services were not restored at 6am, in fact they are still not up at this moment," spokeswoman Natalie Goguen told The Register.
"At 6am, they seemed to make a change to forward on the good traffic, but it didn’t do anything. Although they seem to be trying to take corrective measures, DNS is hard, and they don’t seem to be very good at it."