No-IP domains used by Bladabindi-Jenxcus malware 93% of the time

Jul 1, 2014 07:44 GMT  ·  By

On Monday, in another effort to disrupt malware activity, Microsoft served a federal court order to No-IP.com, a U.S.-based dynamic DNS provider that made the Redmond company the IP resolver of the No-IP domains.

23 free domain names were seized for being used in malware-related crimes committed using two malware families known under the names of Bladabindi (NJrat) and Jenxcus (NJw0rm) and used for collecting sensitive information from the victim's computer.

No-IP released a statement saying that they were not contacted about the seizure or asked to block any sub-domains, a request to which they would have complied, provided the matter at hand.

However, it seems that routing the traffic through Microsoft’s systems has caused some trouble, as millions of No-IP clients witnessed service outages.

According to the dynamic DNS provider, “the Microsoft infrastructure is not able to handle the billions of queries from our customers.”

By taking control of the domain names, Microsoft is able to disrupt communication between the infected computers and the command and control servers. All identified bad traffic is then routed to a company’s sinkhole.

The action comes as a result of a civil case, filed on June 19, in which Microsoft names two foreign individuals and Vitalwerks Internet Solutions, LLC (No-IP.com) as participants in malicious online activities that affected Microsoft and its customers.

Cybercriminals used No-IP’s infrastructure to deliver the malware via more than 18,000 sub-domains, making victims worldwide.

Richard Domingues, assistant general counsel for the Microsoft digital crimes unit, said in a blog post that the authors and owners of NJrat and NJw0rm malware were Kuwaiti and Algerian nationals (Naser Al Mutairi, aka njQ8, and Mohamed Benabdellah, aka Houdini), and offered complete instructions for taking control over the infected computers.

According to Microsoft data, the Bladabindi-Jenxcus infections relied on No-IP domains in 93% of the cases. In the past year, the company’s detection software has identified more than 7,486,833 Windows computers infected with variants of Bladabindi or Jenxcus.

However, the figure could be much larger since the threats are also detected by the products of other antivirus vendors.

A report from Cisco, released in February this year, noted that No-IP domains were the most abused for malware campaigns, with the number of recorded malware samples passing the 60,000 mark.

Despite all efforts to keep cybercrime away from its infrastructure through constant scans of the network and the use of sophisticated filters, Vitalwerks admits that cybercriminals, such as scammers, spammers and malware distributors, still find a way to conduct their business through the company’s services.