This is rather crazy. I haven't heard any word on what they're doing for paying customers. Currently all no-ip domains seem to be inoperable.
Does anyone know why Miscrosoft was able to do this?
You know, most of the malware on the internet is due to Microsoft security bugs, down with Microsoft! In a more serious note, No-IP serves a massive amount of customers legit and non-legit. How in the world are they supposed to monitor their entire client base? Not to mention the fact that DNS nor No-IP's services don't transfer any of the malicious data they are talking about, so they would have to intentionally intrude on their users using services they do not provide to do this, which is probably illegal for them to do (port scans, pentesting tools, etc). This isn't an ISP that can monitor their traffic using NIDS solutions here. At best they might be able to employ Spamhaus blocking, which isn't going to make that big of a dent on botnets and they might already use it anyway. We and Microsoft have no way of knowing because they simply did not ask. Hammers can be used to crush skulls. I propose the court system bans hammers, saws, chainsaws, and all other tools nationwide because of this possibility. If you want to hang up a picture on your wall, you're going to have to hire a licensed hammer administrator. The hammer argument is actually more valid than this No-IP argument. Hammers can be directly used to harm individuals. DNS cannot be directly used to harm or exploit computers, or at least isn't in this case. That being said, I honestly don't think that the legal system will put up with this for multiple reasons. One, No-IP didn't get to defend themselves. While may possibly be legal itself, once they do they will win any lawsuit they press. Microsoft likely knows this, too, and is willing to accept the monetary losses here because they feel they are doing what is best for internet security. This likely also directly interfered with US intelligence, to be honest. Undercover agents can't use "dynamicname.noip.fbi.gov" or "dynamicname.noip.cia.gov" when investigating cybercrime or international terrorism. They likely use these services too when investigating. Congratulations Microsoft, you not only pissed off every technologically savvy person in the world, including server administrators, gamers, and programmers, but you also just pissed off the US government. Have fun with that.
I'm no expert on this stuff, but what about those "best practices" they're talking about? Anything to it?
Great question. It made me re-read their statement a few times and I think it all boils down to the following they stated: Thinking about NIDS a bit more, it might actually apply to DNS more than I had originally stated (I have never administered a public DNS server, only a small private one that I use mostly for domain shortcuts across computers). I think I might have been a bit too infuriated by their response than actually thinking through the processes a bit more. No-IP can probably use NIDS in a way that listens to the incoming traffic requesting specific domains, and identify that certain subdomains or certain accounts are bringing in a ton of known identified malware bots. This coincides with my mentioning of Spamhaus in my first comment, which is a spam and malware IP blacklist and whitelist. Anyway, here is an article by Reuters which is a bit more informative: http://www.reuters.com/article/2014/06/30/us-cybercrime-microsoft-idUSKBN0F52A920140630 Okay so it's been around for awhile, at least a year. It's also widespread, which doesn't warrant anything like this since malware in general is already widespread. You've just described a ton of existing malware here, nothing new. Someone just decided to make another. In general, this happens every day. "Vitalwerks and (operational subsidiary) No-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity," spokeswoman Natalie Goguen said in a statement. So they do have existing abuse policies and abuse teams. This ultimately can be described through a couple of analogies. First, foreign policy and terrorism. "Fight them there so they don't bring the fight to us" type thing. With the nation of Windows Defender, though, they could easily have just blocked the No-IP domains to protect their users without causing so much disruption. People could actually choose to connect to these servers if they desire, or stay within the confines of their safe Windows Defender nation. But that's ultimately not what we do when we connect to the internet. We might be just sitting here [with our computers on/in our homes] and a [virus/terrorist] might decide to [connect and infect us/shoot at us] without any intervention or passport. That being said, people on Windows Defender would still have been protected, that passport would have been checked, and those terrorists wouldn't be allowed to shoot. The second analogy is that you have an anthill on your property. You decide to use poison to kill the queen and destroy the nest. This is not what Microsoft did here. They decided to put up a fence around the property and lock everyone in, despite the property not belonging to them. I guess it's a little more complicated than I thought, but I still think that legal action without informing No-IP's abuse department was clearly overstepping their bounds, and not working in accordance with best practices of human beings.On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to Internet Service Providers (ISPs) and global Computer Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware.
He said it would take days to determine how many machines were infected, but noted that the number could be very large because Microsoft's anti-virus software alone has detected some 7.4 million infections over the past year and is installed on less than 30 percent of the world's PCs.
The malware has dashboards with point-and-click menus to execute functions such as viewing a computer screen in real time, recording keystrokes, stealing passwords and listening to conversations, according to documents filed in U.S. District Court in Nevada on June 19 and unsealed Monday.
Vitalwerks said Microsoft's actions have disrupted service for millions of Internet users.
I know, the whole thing is just completely ridiculous. I don't know what they were planning with this, but they definitely overstepped some boundaries.