Microsoft takes down legitimate servers during attack on malware sites
Dynamic DNS (domain name server) addresses have become a causality in a war on malware websites. Legitimate servers were not the target in the takedown instituted by Microsoft, but became victims none-the-less, after the company executed a legal attack in an effort to stop malware providers attacking Windows PCs.
According to security researcher Brian Krebs, “In its latest bid to harness the power of the U.S. legal system to combat malicious software and cybercrooks, Microsoft convinced a Nevada court to grant the software giant authority over nearly two dozen domains belonging to no-ip.com, a company that provides dynamic domain name services”.
The malware in question belongs to two separate families — njrat and njworm. Both were being distributed through DDNS via no-ip. The dynamic aspect assured the criminals that PCs that were infected with the malware would be able to stay in contact with their masters, despite changing DNS addresses.
Microsoft told authorities that it would filter out the malware and allow legitimate traffic to continue to flow, but according to Krebs, this didn’t happen. “Microsoft was supposed to filter out the traffic flowing to and from those 18,400+ hostnames, and allow the remaining, harmless traffic to flow through to its rightful destination. But according to no-ip.com marketing manager Natalie Gogun, that’s not at all what happened”. In a statement, the provider claims “Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors”.
No-ip is currently working with authorities and Microsoft to fix legitimate traffic, but thus far, outages remain. While stopping cybercriminals and preventing malware is a worthy cause, the company may have gone too far in this case.Further reading: Microsoft