A botnet known as Nitol, built on the backs of BotnetPCs and laptops loaded with malware somewhere in the supply chain, was taken down by Microsoft. Microsoft’s Digital Crimes Unit was given permission this week by the U.S. District Court for the Eastern District of Virginia to take over the 3322.org domain and more than 70,000 sub-domains hosting the Nitol botnet. 

This is the second botnet takedown for Microsoft in six months; in March, Microsoft disrupted parts of the Zeus botnet, a major global network that’s behind billions of dollars in bank fraud and identity theft.

Last August, Microsoft began an investigation into supply chain security and eventually discovered the Nitol malware pre-loaded on computers built in China that were running counterfeit versions of the Windows operating system. Further digging revealed the 3322.org domain and sub-domains hosting not only Nitol but more than 500 different pieces of malware. The malicious code ran the gamut from keystroke loggers, denial-of-service capabilities, rootkits, backdoors and more, Microsoft Digital Crimes Unit assistant general counsel Richard Domingues Boscovich wrote of what Microsoft dubbed Operation b70.

Boscovich said the operation began more than a year ago with the purchase of 20 computers manufactured and sold in several cities in China. Four pieces of malware– Nitol, Trafog, Malat (all backdoors) and EggDrop–were found on several machines. Nitol was the only malware that was active and was trying to connect to a command-and-control server.

The Microsoft report said Nitol was built to spread via USB flash drives and other removable media, in addition to mapped network shares. Any USB drive, for example, connecting to an infected machine would also become infected. Nitol copied itself only to directories containing certain applications and file archives, enabling it to exploit the module-loading process used by Windows when it runs applications, the report said.

Nitol variants found so far have only been rootkits, and are capable of receiving remote commands, such as update downloads, new module components, .exe files and others, from a C&C server. Nitol is capable of launching DDoS attacks against targets, or opening backdoors for additional malware infections or activity monitoring by turning on a microphone or video camera on a computer.

The court order granted Microsoft this week gave the company a temporary restraining order against Bei Te Kang Mu Software Technology, its owner Peng Yong and three others allowing Microsoft to block the operation of Nitol botnet. Microsoft was also granted an injunction making it the authoritative name server for 3322.org.

“This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322.org domain, and will help rescue people’s computers from the control of this malware,” Boscovich wrote in the report.

Eighty-five percent of Nitol infections have been detected in China; close to 10 percent in the U.S.; 80 percent of command and control servers were also located in China, 15 percent in the U.S. Microsoft was unable to determine where in the supply chain the malware was loaded onto the infected computers; the goal of the initial investigation was to uncover usage of counterfeit Windows software.

“So how can someone know if they’re buying from an unsecure supply chain? One sign is a deal that appears too good to be true,” Boscovich wrote. “However, sometimes people just can’t tell, making the exploitation of a broken supply chain an especially dangerous vehicle for infecting people with malware.”

Microsoft also made a call for supply chains to lock down security and ensure that computers and software they purchase come from a trusted source, the report said.

“Our disruption of the Nitol botnet further demonstrates our resolve to take all necessary steps to protect our customers and discourage criminals from defrauding them into using malware infected counterfeit software,” Boscovich said. “Given the security risks that malware infections can create, we also need suppliers, resellers, distributors and retailers in the supply chain to do their part in safeguarding people from harmful counterfeit software.”

Categories: Malware

Comment (1)

  1. Anonymous

    Did they actually shut down the entire 3322.org dynamic dns service, or just the subdomains that were hosting malware?

Comments are closed.