Microsoft announced today it’s reached a settlement with the operator of a Chinese Web site whose domain and sub-domains hosted more than 500 kinds of malware, including the Nitol botnet found on brand new computers.
In a lawsuit filed two weeks ago by the software giant, Microsoft alleged the domain 3322.org hosted Nitol, which was found being preloaded onto computers during an investigation into supply chain security last August. Microsoft created a sinkhole to divert infected computers and was able to block some 609 million connections from more than 7,650,000 unique IP addresses to those subdomains in just 16 days.
As part of the settlement reached in a U.S. District Court in northern Virginia, Peng Yong, the registered owner of 3322.org, will work with Microsoft and China’s Computer Emergency Response Team to prevent the site from remaining a conduit for malicous activity.
Specifically, Yong will help:
–Block all connections linked to “block-listed” subdomains and direct them to a sinkhole computer managed by CN-CERT.
–Add 3322.org subdomains to the block-list as they are uncovered by Microsoft and CN-CERT.
–Help find the owners of infected computers in China and assist them in removing malware from their computers.
“We’re very pleased by this outcome, which will help guarantee that the 70,000 malicious subdomains associated with 3322.org will never again be used for cybercrime,” Richard Domingues Boscovich, Assistant General Counsel for Microsoft’s Digital Crimes Unit, said in a blog post.
To clean up victims’ computers as quickly as possible, Microsoft shared data with more than 40 impacted countries through their respective Computer Emergency Response Teams (CERTs) beginning Sept 26. Boscovich said the massive join efforts “helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos and Zeus botnets.”
In exchange for Yong’s cooperation, Microsoft agreed to drop the lawsuit it filed against him.
Dubbed “Operation b70,” the international probe revealed malware was being loaded onto machines at some point between leaving the factory and arriving to consumers.
“Cybercriminals did and continue to do this by having disreputable distributors or resellers load malware-infected counterfeit software onto computers that have shipped from the PC manufacturer without an operating system, or in some cases, with an operating system that a customer doesn’t want,” Boscovich said.
“Those infected computers are then loaded with a desired operating system that is often laden with malware and then sold to unassuming customers. It’s our hope that by shedding light on this new threat vector and bringing it to the attention of original equipment manufacturers and policymakers, this action will have a real impact on cybercriminals’ ability to infiltrate the supply chain in the future.”