Microsoft has learned that much of the code used by the Nitol malware family is copied from free malware resources hosted on Chinese websites. Microsoft posted portions of the code online this week where similar lines used for denial of service attack functionality are present in Nitol and on the sites in question.
Rex Plantado, an antivirus researcher at Microsoft, said that Nitol.A and Nitol.B also resemble malware used by the IMDDOS and Avzhan botnets, both of which, like Nitol, are used to carry out distributed denial-of-service attacks. Nitol.A and Nitol.B are the most active variants of the Nitol family.
The Nitol botnet was recently taken down by Microsoft after it was given permission by the U.S. District Court for the Eastern District of Virginia to take control of the 70,000 sub domains hosting malware on the 3322.org domain.
Microsoft has been investigating supply chain security for some time—its recent Security Intelligence Report focused on malware compromising third-party suppliers and file-sharing networks and sites—and reported in September that it had discovered Nitol malware pre-loaded on computers built in China running counterfeit versions of the Windows operating system. The 3322.org subdomains, meanwhile, were hosting more than 500 strains of malware, including DDoS malware, keyloggers, rootkits and more.
Microsoft found similar DDoS behavior in all the Nitol variants, despite some other variations. Most of the variants, Microsoft said, are made up of a loader executable and a DLL dropped by the loader. The loader installs the DLL, named lpk.dll, as a NT service or legacy driver. Lpk.dll is dropped to every folder containing an executable, RAR or ZIP file on local or removable drives. When the DLL runs, it begins connecting to a command-and-control server; most of them reached out to the 3322.org domain which was located in China and subsequently taken down by Microsoft.
The compromised machines then issued commands to attack domains by a variety of means, including SYN, UDP, TCP, HTTP and ICMP floods. The C&C server can also send additional executables or updates to infected machines, or force a browser to surf to a compromised URL.
IMDDOS, or I’M DDOS, is a commercial DDOS attack service available for purchase from a China-hosted website. IMDDOS was discovered two years ago by security company Damballa, and was one of the fastest-growing botnets, the company said, peaking at more than 25,000 recursive DNS lookups per hour for all its command and control domains. The service offers different pricing options and round the clock technical support.
Arbor Networks, meanwhile, followed up Damballa’s research with a look into a related malware family called Avzhan. Like IMDDOS, Avzhan was controlled by a Chinese IP and had similar install, attack engines and command and control capabilities as IMDDOS.
“One theory that comes to mind is that the developers of the IMDDOS family might have obtained the Avzhan source code and added the modifications necessary to evolve it into a more easily commercialized DDoS service,” Arbor said in its initial report on Avzhan. “At any rate, the commonalities between Avzhan and IMDDOS represent yet another data point that indicates how much sharing, re-using and/or borrowing of code takes place in the underground malware industry.”
Microsoft said there is no evidence they were created by the same author, though all originate in China it would seem as 85 percent of Nitol infections have been detected in China, compared to close to 10 percent in the U.S. Eighty percent of command and control servers were also located in China, with 15 percent in the U.S.
