diagram-of-how-hackers-exploit-no-ip.jpg
It was the equivalent of using a nuclear bomb to kill a cloud of gnats and Microsoft pulled the trigger.
Microsoft had the purest of intentions when it decided to shut down a persistent malware network by seizing control of 22 domain names by virtue of a court order from a Nevada judge.
Microsoft's legal action shut down millions of websites hosted by No-IP, a dynamic DNS provider for paid and free services that offers DNS services, email, network monitoring and SSL certificates.
Microsoft was going after a malware network believed to be the reason behind infecting over 7.4 million Windows Computers all over the world when it choked No-IP.
It said the unknown cyber attackers leveraged two malware families, or remote-access Trojans known as "njrat" and "njw0rm," which were using No-IP's services to ensure that computers infected with these malware families would always be able to reach the Internet servers the cyber attackers were using to control them.
Microsoft told a Nevada court that cybercriminals behind these two malware families were using over 18,400 hostnames that belonged to No-IP. The Nevada court granted Microsoft the authority to temporarily seize control over 22 domains owned by No-IP.
This number, however, was basically all of the domains that power No-IP's free dynamic DNS services.
Dynamic DNS services are used to map domain names to numeric Internet addresses. The largest users of dynamic DNS services are home Internet users that want to have a domain name that will always point back to their computer no matter how many times their ISP changes the numeric Internet address assigned to their computers.
Vitalwerks LLC, parent company of No-IP, said Microsoft then began redirecting domain traffic to their "DNS sinkhole." It said this action affected malicious and non-malicious users alike despite Microsoft's statement of intent to the contrary. The company claimed many of its legitimate users were down all day.
A DNS sinkhole or a BlackholeDNS is a DNS server that gives out false information to prevent the use of the domain names it represents. It is effective at detecting and blocking malicious traffic and is used to combat bots and unwanted traffic.
The company said that while Microsoft claimed there were over 18,000 malicious hostnames involved, it could only find about 2,000 from that list. Some four million hostnames remain offline, with customer support requests piling up.
