Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:23 PM
Connect Directly

Microsoft Intercepts 'Nitol' Botnet And 70,000 Malicious Domains

Court-ordered sinkhole operation disrupts Chinese DDoS botnet, other malware enterprises

Microsoft has sinkholed yet another botnet: This time, it's one out of China that also spread via counterfeit software secretly embedded with the malware.

Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, announced today in a blog post that Microsoft won a court order to host 3322.org, a notorious Internet domain out of which the so-called Nitol botnet operated. The infamous domain also hosts another 70,000 malicious subdomains and 500 different strains of malware, including Nitol. The U.S. District Court for the Eastern District of Virginia granted Microsoft's request for an ex parte restraining order against Peng Yong, his company, and other John Does, according to Boscovich.

So now Microsoft is intercepting any malicious traffic from the 3322.org domain, which hosts some 3 million subdomains, but not all of which are nefarious.

"The order allows Microsoft to host the 3322.org domain, which hosted the Nitol botnet, through Microsoft's newly created domain name system (DNS). This system enables Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322.org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption," he said in the post. Microsoft discovered Nitol while investigating how cybercriminals are abusing the third party software supply chain with counterfeit software rigged with malware -- one of the vectors Nitol used to spread its bot malware.

Like any botnet takedown, the effects were immediate -- but likely only temporary. The 3322.org domain hosts about half of Nitol's domains. And nearly 86 percent of Nitol's servers operate out of China, and nearly 10 percent out of the U.S.

Gunter Ollmann, vice president of research at Damballa, so far counts more than 70 different botnets that rely on the 3322.org domain for their command-and-control infrastructure, with some 407 domains within 3322.org being used for C&C. But the 3322.org domain is just one malicious domain among many: "Most of the 70-plus botnets have C&C in other Dynamic DNS hosting providers as backup. So takedown of 3322 .org is inconvenient, but not end-of-days," Ollmann says. It will provide some insight into the infections and command-and-control, however, according to Ollmann.

Meanwhile, the bad guys from 3322 aren't rolling over: A Chinese ISP that owns the 3322.org domain already has offered assistance to customers who have had their domains sinkholed. The company is providing via its website workarounds for the sinkhole operation, such as changing DNS settings, Ollmann says.

"I don't think [Microsoft's sinkhole operation is] going to have any noticeable impact on victims, and little impact on the criminal operators behind the botnet," Ollmann says.

The 3322.org domain is a notorious free dynamic DNS provider that's known for being used by bad guys. Nitol had been hosted there since 2008, according to Microsoft's findings.

Botnet expert Joe Stewart said in a tweet today that the Microsoft sinkhole so far was intercepting only about 57 percent of the subdomains in 3322.org that he's tracking.

[ Sometimes the good guys get caught in the crossfire of the war against botnets, as the Microsoft Zeus botnet case demonstrates. See Botnet Takedowns Can Incur Collateral Damage. ]

Nominum is helping filter the bad traffic from the good from the 3322.org domain. "This is not a blunt-force method. It's a surgical takedown of traffic," says Daniel Blasingame, vice president and general manager of embedded solutions at Nominum. "We can tell if it's botnet command-and-control calling" machines, he says.

Microsoft's investigation of insecure supply chain abuse found that 20 percent of PCs purchased by Microsoft researchers were infected with malware. "Making matters worse, the malware was capable of spreading like an infectious disease through devices like USB flash drives, potentially causing the victim's family, friends, and co-workers to become infected with malware when simply sharing computer files," Boscovich says.

The Nitol botnet wages distributed denial of service (DDoS) attacks and sets up backdoors on the infected machine. The malware spreads via removable and network device shares, and all versions so far are rootkits -- Win32/Nitol.A and Trojan: Win32/Nitol.B.

The path to Nitol began in August 2011 when Microsoft researchers purchased a Windows laptop from a reseller in Shenzhen, China. The XP Service Pack 3-based Hedy laptop was found to be infected with Nitol.A.

"By sinkholing that domain and the known malicious domains from 3322.org, Microsoft is [gathering] information and getting some idea of victim ocunts or other malware out there," Damballa's Ollmann says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.