Microsoft says it’s disrupted its 10th malware — one that could be spread by infected removable drives such as USB flash drives, and that could lead to giving backdoor access to a user’s computer.
Microsoft said today it filed a civil lawsuit on June 19 against two foreign nationals and a U.S. company, Vitalwerks Internet Solutions (doing business as No-IP.com), for their roles in “creating, controlling, and assisting in infecting millions of computers with malicious software.”
Microsoft is accusing Kuwaiti national Naser Al Mutairi and Algerian national Mohamed Benabdellah of writing and distributing the Bladabindi and Jenxcus malware, respectively. The company is accusing No-IP of owning infrastructure that cybercriminals frequently use to infect victims with the malware.
The Bladabindi malware family can steal sensitive information and give a hacker backdoor access to the victim’s PC. It can also download other malware. It can be spread through infected removable drives, malicious links, hacked websites or be downloaded by other malware.
Jenxcus is a worm that is typically bundled with other programs and that can be spread through removable drives. It can allow a victim’s PC to be controlled by a remote attacker.
Microsoft says the malware was detected more than 7 million times in the past year by Microsoft anti-virus products, though the company did not specify how many people or computers were infected.
Microsoft advises using the Microsoft Malware Removal Tool, among other steps that are included in the links above.
As part of its disruption of the malware, Microsoft had sought, and been granted, a court order letting Microsoft become the “the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats,” Microsoft said.
That move apparently caused a sizeable number of legitimate connections to go dark.
“Millions of hostnames have gone dark and millions of our users have been put out of service,” No-IP CEO Dan Durrer said in a blog post Wednesday.
No-IP had said, in a blog post earlier this week, that it was surprised by Microsoft’s actions:
We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives. …
We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.
Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users.
On Thursday, No-IP reported that all 23 domains that had been seized by Microsoft were now back in No-IP’s control. “It may take up to 24 hours for the DNS to fully propagate, but everything should be fully functioning within the next day,” No-IP said in a blog post.