No-IP Microsoft Takedown: When Good Intentions Go Bad

I know a lot of you haven't heard from me for a while - I'm still sorting through and typing up all the INCREDIBLE information I received from the 2014 Maryland Cybersecurity Symposium. However, today I had to take a break from all this, because of current events affecting users on the Internet.

In case you hadn't heard, Microsoft convinced a federal court to seize 22 of's domains, taking down most of No-IP's free subdomains and impacting millions of users. Microsoft's justification was that subdomains are used by malware creators.

According to No-IP, Microsoft's intention was only to "filter out" the bad sub-domains, and continue to serve traffic for the valid ones.  However, Microsoft's infrastructure was unable to handle the load, and stopped serving No-IP content completely. Even if Microsoft's infrastructure would have been able to handle the load, the privacy implications for this kind of court order are astounding, and disturbing.

To put this in context, this would be no different from another company convincing a Federal court to seize or "because spammers and scammers use it to contact victims". Then, monitor every single email address, and make sure it's not being used by a scammer.

Disturbed yet? You should be.  Common uses for No-IP include VPN/remote desktop to home systems, monitoring home security systems and IP-cameras, and private game servers. And the only way Microsoft would know for sure if a domain was used by a malware creator would be to inspect the traffic for each and every subdomain.  It's no wonder Microsoft's infrastructure wasn't able to handle the load.

Another use which I have personally used No-IP for in the past on multiple occasions is for seeding honeypot URLs. You can see some of the results of my honeypot over at the CaffSec Malware Analysis Lab, including a LOT of previously unknown malware. So, in Microsoft's attempts to make the Internet a safer place, they have seriously hindered my (and most likely others') honeypots ability to collect new malware samples.

Additionally - sometimes it's not always the right step to shutdown a malware command and control center. Sometimes, the better approach is to simply monitor the known command and control center, in order to trace back its origins.  Otherwise, when that C&C server is shutdown, investigators lose future sources of intelligence.  It is sometimes much more effective to monitor malware creators than play a never-ending game of whack-a-mole with their servers.

So, with that said, who's going to step up to the plate and sieze Microsoft's free email system? I'm sure they won't mind, since they had no problems seizing domains from No-IP.

No comments:

Post a Comment