Microsoft took two malware networks down by assuming control of nearly two dozen domain names for sites from which the malware commanded and was being spread. Seems like great news? The sites that were downed, both valid and malicious, used a Reno, Nevada-based dynamic DNS service called NoIP. Although Microsoft’s takedown was completely legal and sanctioned by a Nevada court, neither NoIP nor its valid customers were not unhappy about Microsoft’s seemingly heavy handed security strategies.

The system is what interprets human-friendly text-based URLs, for example TomsGuide.com, in the computer-friendly numeric Internet Protocol addresses of Web servers, including 54.186.192.133. Websites hosted using such services are a lot more trustworthy, because if an IP address changes, the right server is reconnected by the DNS together with the Web URL that was right. Here is what occurred: Hot on the heels of a cybercrime group in charge of propagating forms of malware called NJrat and NJw0rm (both remote access Trojans), Microsoft found the group was using No-IP’s dynamic DNS service to keep links between its malware-command-and-control servers as well as the infected computers.

Microsoft filed a charge June 19 against two guys it considered responsible for the malware: a Kuwaiti named an Algerian named Mohamed Benabdellah and Naser Al Mutairi. On June 26, Microsoft was given permission by the court to assume charge of the 22 No IP domain names that host NoIP’s free dynamic DNS services. In theory, Microsoft would just block the 18,400 hostnames that are malicious and let the millions of other valid accounts on the domain names continue unimpeded.In practice, it did not work out so nicely — at least from the point of view of No IP. Yesterday, at time of the posting, and around four million No IP hostnames went offline, many are not up and running. Nevertheless, Microsoft seemingly did succeed in shutting down the two malware efforts, along with several cyberespionage groups and other cybercrime globally.

No IP’s CEO supposedly did not even understand about the suspected malware action on its service or the court order until yesterday when someone rapped on his front door and handed him the court order. “We work with law enforcement on a regular basis, as well as our abuse section reacts to abuse requests within 24 hours … It is quite depressing that Microsoft needed to take such extraordinary measures to do this,” Natalie Goguen, No IP’s marketing manager, told independent security researcher Brian Krebs. Now, it is No IP’s word against Microsoft’s, but well known cybercrime specialist Dmitri Alperovitch of security company CrowdStrike weighed in on the side of No IP. “They’ve ever been really receptive to security researchers and law enforcement,” Alperovitch told Krebs, including that, “I don’t consider them a bulletproof or maltreatment-proof host,”referring to Web hosts that accept all customers, yet dishonest, and promise they will keep websites upward despite law enforcement attempts.

At the time of the posting, a warning that No-IP’s “domain names are however experiencing outages due to the Microsoft takedown” was still live on the business’s web site. In spite of the annoyance to No-IP’s customers and it, Microsoft’s assault seems to have worked. Costin Raiu of security company Kaspersky Lab noted the strike interrupted not only the NJrat and NJw0rm malware families, but also several other complex-constant-risk [APT] groups, or state-sponsored on-line secret agents and saboteurs, that additionally used NoIP’s free service.