Microsoft calls halt to cybercrime ring takedown following website outages

Microsoft's bid to take down the communication channels between hackers and a slew of malware-infected PCs has seemingly been abandoned, after it caused widespread outages for millions of web users.

The software giant obtained a court order earlier this week to aid its disruption of malware created by rogue developers in Kuwait and Algeria.

The pieces of malware, dubbed Jenxcus and Bladabindi, have been picked up by the software giant's anti-virus tools as being present on just under 30 per cent of the world's PCs.

However, there is a possibility the infection rate may be higher than this, particularly if the findings of other anti-virus software makers were taken into account as well.

Richard Domingues Boscovich, assistant general counsel of Microsoft's cybercrime-fighting digital crimes unit, said the case is the biggest it has dealt with outside of Eastern Europe.

"We have never seen malware coded outside Eastern Europe that is as big as this. This really demonstrates the globalisation of cybercrime," he said.

Microsoft has received the blessing of the federal court of Nevada to disrupt communications between the affected computers and a company called Vitalwerks Internet Solutions.

This was after ascertaining that 94 per cent of the infected machines used the company's servers to communicate with the hackers.

Since the court order was put in place on Monday, any suspect web traffic has been sent to Microsoft for analysis instead of to Vitalwerks.

However, it is claimed the vendor's actions - which saw 22 of Vitalwerks' most popular domains seized - has resulted in outages for other users of the company's services.

Natalie Goguen, a Vitalwerks spokesperson, explained in a blog post: "[Microsoft] their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. This is not happening.

"Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers.

"Millions of innocent users are experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors," she added.

Microsoft has since responded, saying it has fixed the issue, but Goguen maintains that it has not, and users of its services are still suffering.

In the latest twist to the story, it appears Microsoft started handing back control of the domains it seized in a bid to arrest the malware infections spreading further.

NO-IP has reported that a number of the seized domains have been reinstated. Whether this is a sign that Redmond has called a halt to the operation or had its court order revoked remains to be seen.

At the time of publication, Microsoft was remaining tight-lipped about the issue.

Who's to blame?

Microsoft has stopped short of accusing Vitalwerks of being complicit with the hackers, but according to a report on Reuters claims the company didn't do enough to prevent its systems being abused by cyber criminals.

"We just want them to clean up their act, to be more proactive in monitoring their service," Boscovich added.

Goguen has already stated the company has a "very strict" anti-abuse policy in place.

"Our abuse team is constantly working to keep the No-IP [a Vitalwerks' subsidiary] domains free of spam and malicious activity," she added.

This story was originally published on 1 July, and has since received subsequent updates on 2 July and 3 July.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.