Microsoft Intercepts 'Nitol' Botnet And 70,000 Malicious Domains

Court-ordered sinkhole operation disrupts Chinese DDoS botnet, other malware enterprises

Dark Reading logo in a gray background | Dark Reading

Microsoft has sinkholed yet another botnet: This time, it's one out of China that also spread via counterfeit software secretly embedded with the malware.

Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, announced today in a blog post that Microsoft won a court order to host 3322.org, a notorious Internet domain out of which the so-called Nitol botnet operated. The infamous domain also hosts another 70,000 malicious subdomains and 500 different strains of malware, including Nitol. The U.S. District Court for the Eastern District of Virginia granted Microsoft's request for an ex parte restraining order against Peng Yong, his company, and other John Does, according to Boscovich.

So now Microsoft is intercepting any malicious traffic from the 3322.org domain, which hosts some 3 million subdomains, but not all of which are nefarious.

"The order allows Microsoft to host the 3322.org domain, which hosted the Nitol botnet, through Microsoft's newly created domain name system (DNS). This system enables Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322.org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption," he said in the post. Microsoft discovered Nitol while investigating how cybercriminals are abusing the third party software supply chain with counterfeit software rigged with malware -- one of the vectors Nitol used to spread its bot malware.

Like any botnet takedown, the effects were immediate -- but likely only temporary. The 3322.org domain hosts about half of Nitol's domains. And nearly 86 percent of Nitol's servers operate out of China, and nearly 10 percent out of the U.S.

Gunter Ollmann, vice president of research at Damballa, so far counts more than 70 different botnets that rely on the 3322.org domain for their command-and-control infrastructure, with some 407 domains within 3322.org being used for C&C. But the 3322.org domain is just one malicious domain among many: "Most of the 70-plus botnets have C&C in other Dynamic DNS hosting providers as backup. So takedown of 3322 .org is inconvenient, but not end-of-days," Ollmann says. It will provide some insight into the infections and command-and-control, however, according to Ollmann.

Meanwhile, the bad guys from 3322 aren't rolling over: A Chinese ISP that owns the 3322.org domain already has offered assistance to customers who have had their domains sinkholed. The company is providing via its website workarounds for the sinkhole operation, such as changing DNS settings, Ollmann says.

"I don't think [Microsoft's sinkhole operation is] going to have any noticeable impact on victims, and little impact on the criminal operators behind the botnet," Ollmann says.

The 3322.org domain is a notorious free dynamic DNS provider that's known for being used by bad guys. Nitol had been hosted there since 2008, according to Microsoft's findings.

Botnet expert Joe Stewart said in a tweet today that the Microsoft sinkhole so far was intercepting only about 57 percent of the subdomains in 3322.org that he's tracking.

[ Sometimes the good guys get caught in the crossfire of the war against botnets, as the Microsoft Zeus botnet case demonstrates. See Botnet Takedowns Can Incur Collateral Damage. ]

Nominum is helping filter the bad traffic from the good from the 3322.org domain. "This is not a blunt-force method. It's a surgical takedown of traffic," says Daniel Blasingame, vice president and general manager of embedded solutions at Nominum. "We can tell if it's botnet command-and-control calling" machines, he says.

Microsoft's investigation of insecure supply chain abuse found that 20 percent of PCs purchased by Microsoft researchers were infected with malware. "Making matters worse, the malware was capable of spreading like an infectious disease through devices like USB flash drives, potentially causing the victim's family, friends, and co-workers to become infected with malware when simply sharing computer files," Boscovich says.

The Nitol botnet wages distributed denial of service (DDoS) attacks and sets up backdoors on the infected machine. The malware spreads via removable and network device shares, and all versions so far are rootkits -- Win32/Nitol.A and Trojan: Win32/Nitol.B.

The path to Nitol began in August 2011 when Microsoft researchers purchased a Windows laptop from a reseller in Shenzhen, China. The XP Service Pack 3-based Hedy laptop was found to be infected with Nitol.A.

"By sinkholing that domain and the known malicious domains from 3322.org, Microsoft is [gathering] information and getting some idea of victim ocunts or other malware out there," Damballa's Ollmann says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights