Microsoft Takes Down Bladabindi and Jenxcus Botnets

Microsoft uses both legal and technical means to shut down a malware network affecting millions of PCs, the tenth such action from the company.

Microsoft botnet takedown

Microsoft's security division hit a big milestone this week.

Richard Domingues Boscovich, an attorney with Microsoft's Digital Crimes Unit, announced in a June 30 statement that the company flexed its legal muscle leading to the company's tenth "malware disruption," and the third such action since the Microsoft Cybercrime Center opened its doors in November. The company got the ball rolling on June 19, filed a civil case against Mohamed Benabdellah and Naser Al Mutairi, two foreign nationals, according to Microsoft. The action underscores how cyber-security has become a global concern.

"In the past, we've predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals," added Domingues Boscovich.

On June 30, Microsoft's Digital Crimes Unit tweeted, "Cybercrime knows no borders: @MicrosoftDCU disrupts spread of malware with roots in the Middle East".

Also in Microsoft's cross hairs was Vitalwerks Internet Solutions, a DNS provider doing business as, "for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software," he said. The company detected 7.4 million infections over the past year, not including infections spotted by other anti-virus providers.

Microsoft is "taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware," said Domingues Boscovich. Of all Dynamic DNS providers, the company's research showed that "No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains."

Microsoft Malware Protection Center researchers Tanmay Ganacharya and Francis Tan Seng detailed in a blog post how Bladabindi and Jenxcus leveraged No-IP to spread and avoid detection.

"These backdoor trojans can also upload new components or malware to your computer to add more malicious functionality. They often communicate with hosts that are typically a Dynamic DNS [Domain Name System] service such as NO-IP because this makes them more difficult to trace," they explained

After the June 19 court filing against Benabdellah, Al Mutairi and Vitalwerks, Microsoft got to work on shutting down the botnet created by Bladabindi and Jenxcus.

The U.S. District Court for Nevada granted Microsoft's request to make it the DNS authority for Vitalwerks's 23 free No-IP domains. This allowed Microsoft to "identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats."

In effect, Microsoft has wrested control of the botnets that sprout up in the wake of Bladabindi and Jenxcus, which differed from most botnets. "A traditional botnet usually has one command-and-control (CNC) server to control all infected machines. In the case of Bladabinda and Jenxcus, there can be a syndicate of botnets and thousands of botnet herders," stated the Microsoft Malware Protection Center researchers.

Going forward, Microsoft will be keeping an eye on free Dynamic DNS companies, which have emerged as the service providers of choice for botnet operators, hinted Domingues Boscovich.

"If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online," he stated. "Meanwhile, we will continue to take proactive measures to help protect our customers and hold malicious actors accountable for their actions."

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...