[meowface]

While I do think Microsoft's approach here is pretty insane, your proposed solution would not have helped at all:

>Microsoft could have just asked them to change the IP associated with the relevant accounts, disable update for them and/or hand over access to those accounts.

The botnet operators are using this service because of how transient it is. They likely have hundreds of accounts, each with thousands of domains, and can make more accounts and more domains on the fly.

What Microsoft should've done is worked with no-ip's team to implement some code in the account and domain registration process to catch these kind of patterns, in a way where the botnet operator thinks he's configured them correctly, but Microsoft is actually using no-ip's nameservers to point those domains to their sinkholes. After setting this up, they could've then generalized this checking process to catch and automatically ban (or shadowban) other registrants who appear to be using no-ip for botnet command & control or malware distribution. They also could implement evercookies and browser fingerprinting to track threat actors who keep making new accounts in combination with the heuristic detection.

They could've achieved a lot of good by doing this; but now every miscreant out there knows all about this due to the publicity, so they're not going to touch no-ip with a 50 foot pole.

If no-ip refused to implement something like this, then maybe Microsoft could've gotten a temporary court order so that they could basically force them to. But instead they forced them to give up control of their entire DNS space, all to take down 1 botnet.

[Nanzikambe]

I think it would, from Microsoft's technet article [1] -- the reason they went this route seems to be because they're having detecting these two worms (they're polymorphic) -- so they went for decapitation: kill the C&C.

Besides, knocking out no-ip still doesn't "fix" anything - there're a billion and one easy ways around it - C&C lists in alternate dyndns providers, 3rd party namespaces,Tor based C&C, pastebins, public/anonymous forums, hidden in bit-torrent blockchain etc etc etc

Heck, pushing an update to every Windows machine that simply resolved *.no-ip.org to 127.0.0.1 would be better than this. At least then folks that wanted to use it would have an easy recourse.

[1] http://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-febr...

[meowface]

>Heck, pushing an update to every Windows machine that simply resolved *.no-ip.org to 127.0.0.1 would be better than this.

...I don't know if you're joking or not, but that would've been far worse.

At least in this case, Microsoft is attempting to make an effort to preserve all non-malicious domains.