Skip Links

Microsoft takes down another botnet, Nitol

Botnet malware found in new machines sold by Chinese resellers

By , Network World
September 14, 2012 08:53 AM ET

Network World - For the fifth time in three years Microsoft has stepped in to take down a botnet, this time malware called Nitol that was infecting new machines bought in China.

A U.S. court has allowed the company to take over authority of a top-level domain - 3322.org - in an effort to stop the activity of the botnet under Nitol's control.

MORE BOTNETS: Botnet masters hide command and control server inside the Tor network 

BOTNET JAIL TIME: Arizona man imprisoned for selling access to botnets 

Microsoft discovered the infection on pristine personal computers in 2011 as it investigated supply chains in China for evidence of products becoming infected before sale or using pirated software, according to a Microsoft blog post. The investigation was dubbed Operation b70.

Nitol enlists infected machines into botnets that can execute distributed denial-of-service attacks (DoS) and can also download malicious code for machines to perform whatever commands the bot commander directs, according to court papers filed by Microsoft in its successful effort to win a temporary restraining order against the ISP with authority over 3322.org.

That company - Changzhou Bei Te Kang Mu Software - and an individual behind it - Peng Yong - were named, but there are others identified only as John Does.

A Microsoft team based in China bought 20 PCs as part of an effort to find the source of machines sporting pirated Microsoft operating systems. It not only found pirated products, it found one machine that came pre-infected with Nitol.

This led to an investigation of Nitol, how it worked and what infrastructure it used. This led to an ISP in China named BitComm and its owner Peng Yong, according to court papers. Nitol was capable of key logging, stealing passwords and other data, generating spam and participating in DDoS attacks. It could even turn on the computer's microphone and camera to become a spy device, according to a court affidavit from Patrick Stratton, a senior manager of investigations in Microsoft's Digital Crimes Unit.

Infected machines check in with command and control servers, most of which are located in China, but with a significant number in the U.S., particularly in California, Texas, Georgia and Pennsylvania, with the most active cities being San Diego, San Jose, Dallas, Atlanta and Scranton, Pa., according to a Microsoft report.

Microsoft has been granted authority over the offending 3322.org domain, which contains 70,000 malicious subdomains but also millions of legitimate subdomains, says Craig Sprosts, the general manager of Nominum, a DNS company working with Microsoft on the Nitol takedown.

As zombie machines attempt to contact their command servers in those domains, their DNS requests go to Microsoft-controlled servers which use Nominum software to black-hole them, which means they get no response so they cannot connect to upload information or download instructions and further malware, he says.

He says Nominum is working with Microsoft on similar future efforts, but would not detail what they are. "Our collaboration with Microsoft here will be repeated," he says.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News