No-IP didn't knowingly harbor botnet operators targeted in takedown, MS declares.

Microsoft has formally settled legal differences with No-IP, the dynamic domain name host that was kneecapped by a botnet takedown that recently knocked out service to millions of legitimate users.

As we reported, Microsoft surrendered the 23 No-IP domains last week. A bare-bones statement e-mailed to journalists Wednesday morning said the agreement settled a controversial lawsuit Microsoft filed in late June that allowed the software maker to confiscate 23 No-IP domain names before the service provider had an opportunity to oppose the maneuver in court. The malware families targeted in the latest takedown infected more than 7.4 million machines in the past year alone, Microsoft said.
A federal judge approved Microsoft's confidential*ex parte motion arguing that the software maker was entitled to seize control of the addresses because No-IP owner Vitalwerks Internet Solutions failed to follow industry practices designed to prevent malware operators from abusing the service. In the course of a few hours, millions of connections from law-abiding users were severed. The statement read in part:

Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware. Those spreading the malware abused Vitalwerks’ services.

Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware.

In the process of redirecting traffic to its servers for malware detection, Microsoft acknowledges that a number of Vitalwerks customers were impacted by service outages as a result of a technical error. Microsoft regrets any inconvenience these customers may have experienced.

The dispute underscored the fine line between finely tuned botnet takedowns and reckless seizures that disrupt legitimate users in the name of security on the Internet. In the past few years, Microsoft has innovated a combination of technical and legal maneuvers that has proved effective at dismantling, or at least significantly disrupting, highly resilient malware networks. By creating a sprawling series of redundant servers with a variety of hosts, IP addresses, and domain names, the malware operators can elude takedowns by shuttling compromised end-user computers from one to another. Microsoft's technique relies on stealth to disconnect virtually all of a campaign's malicious servers at once before the operators have a chance to respond.

Preserving the confidentiality of the planned takedown may have played a role in No-IP claims that Microsoft officials never contacted it ahead of time about the abuse of its service. Microsoft's takedown technique has evolved over the years. Company officials would do well to update it again to reflect the lessons learned from this episode.