Follow us:

Microsoft Pri0

Welcome to Microsoft Pri0: That's Microspeak for top priority, and that's the news and observations you'll find here from Seattle Times technology reporter Matt Day.

June 30, 2014 at 6:09 PM

Microsoft disrupts its 10th malware [updated]

Microsoft says it’s disrupted its 10th malware — one that could be spread by infected removable drives such as USB flash drives, and that could lead to giving backdoor access to a user’s computer.

Microsoft said today it filed a civil lawsuit on June 19 against two foreign nationals and a U.S. company, Vitalwerks Internet Solutions (doing business as, for their roles in “creating, controlling, and assisting in infecting millions of computers with malicious software.”

Microsoft is accusing Kuwaiti national Naser Al Mutairi and Algerian national Mohamed Benabdellah of writing and distributing the Bladabindi and Jenxcus malware, respectively. The company is accusing No-IP of owning infrastructure that cybercriminals frequently use to infect victims with the malware.

The Bladabindi malware family can steal sensitive information and give a hacker backdoor access to the victim’s PC.  It can also download other malware. It can be spread through infected removable drives, malicious links, hacked websites or be downloaded by other malware.

Jenxcus is a worm that is typically bundled with other programs and that can be spread through removable drives. It can allow a victim’s PC to be controlled by a remote attacker.

Microsoft says the malware was detected more than 7 million times in the past year by Microsoft anti-virus products, though the company did not specify how many people or computers were infected.

Microsoft advises using the Microsoft Malware Removal Tool, among other steps that are included in the links above.

Update 7/4/14:

As part of its disruption of the malware, Microsoft had sought, and been granted, a court order letting Microsoft become the “the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats,” Microsoft said.

That move apparently caused a sizeable number of legitimate connections to go dark.

“Millions of hostnames have gone dark and millions of our users have been put out of service,” No-IP CEO Dan Durrer said in a blog post Wednesday. 

No-IP  had said, in a blog post earlier this week, that it was surprised by Microsoft’s actions:

We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives. …

We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.

Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users.

On Thursday, No-IP reported that all 23 domains that had been seized by Microsoft were now back in No-IP’s control. “It may take up to 24 hours for the DNS to fully propagate, but everything should be fully functioning within the next day,” No-IP said in a blog post.

Comments | More in Microsoft | Topics: malware


No personal attacks or insults, no hate speech, no profanity. Please keep the conversation civil and help us moderate this thread by reporting any abuse. See our Commenting FAQ.

The opinions expressed in reader comments are those of the author only, and do not reflect the opinions of The Seattle Times.

The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Subscriber login ►
The Seattle Times

To keep reading, you need a subscription upgrade.

We hope you have enjoyed your complimentary access. For unlimited access, please upgrade your digital subscription.

Call customer service at 1.800.542.0820 for assistance with your upgrade or questions about your subscriber status.

The Seattle Times

To keep reading, you need a subscription.

We hope you have enjoyed your complimentary access. Subscribe now for unlimited access!

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Activate Subscriber Account ►