You may have missed the news yesterday, but Microsoft coordinated a takeover a over 20 domain names held by dynamic DNS company NoIP. Microsoft took control of the 20 domains NoIP offers to customers as free dynamic DNS subdomains. In doing so, Microsoft was seeking to disable domains used by a couple of malware attacks that were being carried out using NoIP’s free address and DNS services. The downside to yesterday’s takeover is that there were millions of innocent users of NoIP’s services that have been affected. For its part, Microsoft says that was a technical error that should be corrected, however, the domains I use with NoIP’s free service are still unresolving more than 24 hours later.
For customers, neither company is really doing what’s in the best interest of the general public. Microsoft may be playing the white knight seeking to put down malware providers, but by taking over all of NoIP’s free domain names, its targeted 18,472 targets were only a small percentage of the millions of addresses that have been taken offline for legitimate users. To me, Microsoft clearly overstepped here.
And, does Microsoft want to talk about how its own software is the underlying cause of the malware attacks and how the two targeted malware, Jenxcus and Bladabindi, operate on Windows? Microsoft should also be examining how to prevent unauthorized software from executing in Windows which is the larger root cause of this whole debacle. Signed software and software execution policies should be the norm at this point in an operating system. Microsoft should be looking at giving administrators and users whitelisting capabilities at the root of its OS and it should be doing more to prevent these things from running to begin with. I’m not going to knock Microsoft’s responsiveness to issues when exposed, but what is Microsoft really doing to cut down on attack surface in their OS? It doesn’t look like much to me.
NoIP asserts that of the 18,472 targets Microsoft was going after, less than 2,000 were active yesterday morning when the takeover occurred. Well, lets be honest, if you knew near 2,000 subdomains active in malware attacks were there, why didn’t you do anything about it? NoIP should have been taking steps to stop known malware propagating through its service and should have been working with security researchers to put this out of business. NoIP should have been more responsive and should have proactively taken steps to work with third parties on complaints. The lack of cooperation has tarnished is reputation and will leave it in a precarious position as customer seek alternatives from other vendors.
In the wake of all of this are the customers, who should be cheering at a partially effective disablement of malware and jeering if they’re a legitimate NoIP user. I say its partially effective, because the malware writers will adapt and change their tactic in light of this takeover. Microsoft has only delayed an inevitable re-flare of the problem because they’ve done nothing to fix the underlying problem – Windows.
I don’t often rant on my blog, but in this case, the NoIP takeover affects me as a legitimate user and I’m a full-time, senior-level Windows administrator who has to deal with the lack of built-in security functionality that Microsoft delivers to customers. For as much as Microsoft is trying to be the white knight, they seem to be missing their major obligation to patch and fix the main platform for distribution of malware – Windows… That’s my two cents.