04:23 PM
Connect Directly

Microsoft Intercepts 'Nitol' Botnet And 70,000 Malicious Domains

Court-ordered sinkhole operation disrupts Chinese DDoS botnet, other malware enterprises

Microsoft has sinkholed yet another botnet: This time, it's one out of China that also spread via counterfeit software secretly embedded with the malware.

Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, announced today in a blog post that Microsoft won a court order to host 3322.org, a notorious Internet domain out of which the so-called Nitol botnet operated. The infamous domain also hosts another 70,000 malicious subdomains and 500 different strains of malware, including Nitol. The U.S. District Court for the Eastern District of Virginia granted Microsoft's request for an ex parte restraining order against Peng Yong, his company, and other John Does, according to Boscovich.

So now Microsoft is intercepting any malicious traffic from the 3322.org domain, which hosts some 3 million subdomains, but not all of which are nefarious.

"The order allows Microsoft to host the 3322.org domain, which hosted the Nitol botnet, through Microsoft's newly created domain name system (DNS). This system enables Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322.org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption," he said in the post. Microsoft discovered Nitol while investigating how cybercriminals are abusing the third party software supply chain with counterfeit software rigged with malware -- one of the vectors Nitol used to spread its bot malware.

Like any botnet takedown, the effects were immediate -- but likely only temporary. The 3322.org domain hosts about half of Nitol's domains. And nearly 86 percent of Nitol's servers operate out of China, and nearly 10 percent out of the U.S.

Gunter Ollmann, vice president of research at Damballa, so far counts more than 70 different botnets that rely on the 3322.org domain for their command-and-control infrastructure, with some 407 domains within 3322.org being used for C&C. But the 3322.org domain is just one malicious domain among many: "Most of the 70-plus botnets have C&C in other Dynamic DNS hosting providers as backup. So takedown of 3322 .org is inconvenient, but not end-of-days," Ollmann says. It will provide some insight into the infections and command-and-control, however, according to Ollmann.

Meanwhile, the bad guys from 3322 aren't rolling over: A Chinese ISP that owns the 3322.org domain already has offered assistance to customers who have had their domains sinkholed. The company is providing via its website workarounds for the sinkhole operation, such as changing DNS settings, Ollmann says.

"I don't think [Microsoft's sinkhole operation is] going to have any noticeable impact on victims, and little impact on the criminal operators behind the botnet," Ollmann says.

The 3322.org domain is a notorious free dynamic DNS provider that's known for being used by bad guys. Nitol had been hosted there since 2008, according to Microsoft's findings.

Botnet expert Joe Stewart said in a tweet today that the Microsoft sinkhole so far was intercepting only about 57 percent of the subdomains in 3322.org that he's tracking.

[ Sometimes the good guys get caught in the crossfire of the war against botnets, as the Microsoft Zeus botnet case demonstrates. See Botnet Takedowns Can Incur Collateral Damage. ]

Nominum is helping filter the bad traffic from the good from the 3322.org domain. "This is not a blunt-force method. It's a surgical takedown of traffic," says Daniel Blasingame, vice president and general manager of embedded solutions at Nominum. "We can tell if it's botnet command-and-control calling" machines, he says.

Microsoft's investigation of insecure supply chain abuse found that 20 percent of PCs purchased by Microsoft researchers were infected with malware. "Making matters worse, the malware was capable of spreading like an infectious disease through devices like USB flash drives, potentially causing the victim's family, friends, and co-workers to become infected with malware when simply sharing computer files," Boscovich says.

The Nitol botnet wages distributed denial of service (DDoS) attacks and sets up backdoors on the infected machine. The malware spreads via removable and network device shares, and all versions so far are rootkits -- Win32/Nitol.A and Trojan: Win32/Nitol.B.

The path to Nitol began in August 2011 when Microsoft researchers purchased a Windows laptop from a reseller in Shenzhen, China. The XP Service Pack 3-based Hedy laptop was found to be infected with Nitol.A.

"By sinkholing that domain and the known malicious domains from 3322.org, Microsoft is [gathering] information and getting some idea of victim ocunts or other malware out there," Damballa's Ollmann says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.