04:23 PM
Connect Directly
Repost This

Microsoft Intercepts 'Nitol' Botnet And 70,000 Malicious Domains

Court-ordered sinkhole operation disrupts Chinese DDoS botnet, other malware enterprises

Microsoft has sinkholed yet another botnet: This time, it's one out of China that also spread via counterfeit software secretly embedded with the malware.

Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, announced today in a blog post that Microsoft won a court order to host 3322.org, a notorious Internet domain out of which the so-called Nitol botnet operated. The infamous domain also hosts another 70,000 malicious subdomains and 500 different strains of malware, including Nitol. The U.S. District Court for the Eastern District of Virginia granted Microsoft's request for an ex parte restraining order against Peng Yong, his company, and other John Does, according to Boscovich.

So now Microsoft is intercepting any malicious traffic from the 3322.org domain, which hosts some 3 million subdomains, but not all of which are nefarious.

"The order allows Microsoft to host the 3322.org domain, which hosted the Nitol botnet, through Microsoft's newly created domain name system (DNS). This system enables Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322.org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption," he said in the post. Microsoft discovered Nitol while investigating how cybercriminals are abusing the third party software supply chain with counterfeit software rigged with malware -- one of the vectors Nitol used to spread its bot malware.

Like any botnet takedown, the effects were immediate -- but likely only temporary. The 3322.org domain hosts about half of Nitol's domains. And nearly 86 percent of Nitol's servers operate out of China, and nearly 10 percent out of the U.S.

Gunter Ollmann, vice president of research at Damballa, so far counts more than 70 different botnets that rely on the 3322.org domain for their command-and-control infrastructure, with some 407 domains within 3322.org being used for C&C. But the 3322.org domain is just one malicious domain among many: "Most of the 70-plus botnets have C&C in other Dynamic DNS hosting providers as backup. So takedown of 3322 .org is inconvenient, but not end-of-days," Ollmann says. It will provide some insight into the infections and command-and-control, however, according to Ollmann.

Meanwhile, the bad guys from 3322 aren't rolling over: A Chinese ISP that owns the 3322.org domain already has offered assistance to customers who have had their domains sinkholed. The company is providing via its website workarounds for the sinkhole operation, such as changing DNS settings, Ollmann says.

"I don't think [Microsoft's sinkhole operation is] going to have any noticeable impact on victims, and little impact on the criminal operators behind the botnet," Ollmann says.

The 3322.org domain is a notorious free dynamic DNS provider that's known for being used by bad guys. Nitol had been hosted there since 2008, according to Microsoft's findings.

Botnet expert Joe Stewart said in a tweet today that the Microsoft sinkhole so far was intercepting only about 57 percent of the subdomains in 3322.org that he's tracking.

[ Sometimes the good guys get caught in the crossfire of the war against botnets, as the Microsoft Zeus botnet case demonstrates. See Botnet Takedowns Can Incur Collateral Damage. ]

Nominum is helping filter the bad traffic from the good from the 3322.org domain. "This is not a blunt-force method. It's a surgical takedown of traffic," says Daniel Blasingame, vice president and general manager of embedded solutions at Nominum. "We can tell if it's botnet command-and-control calling" machines, he says.

Microsoft's investigation of insecure supply chain abuse found that 20 percent of PCs purchased by Microsoft researchers were infected with malware. "Making matters worse, the malware was capable of spreading like an infectious disease through devices like USB flash drives, potentially causing the victim's family, friends, and co-workers to become infected with malware when simply sharing computer files," Boscovich says.

The Nitol botnet wages distributed denial of service (DDoS) attacks and sets up backdoors on the infected machine. The malware spreads via removable and network device shares, and all versions so far are rootkits -- Win32/Nitol.A and Trojan: Win32/Nitol.B.

The path to Nitol began in August 2011 when Microsoft researchers purchased a Windows laptop from a reseller in Shenzhen, China. The XP Service Pack 3-based Hedy laptop was found to be infected with Nitol.A.

"By sinkholing that domain and the known malicious domains from 3322.org, Microsoft is [gathering] information and getting some idea of victim ocunts or other malware out there," Damballa's Ollmann says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.

Published: 2014-04-23
CRLF injection vulnerability in the CGI implementation in Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000 allows remote attackers to modify arbitrary uppercase environment variables via a \n (newline) character in an HTTP header.

Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Best of the Web