September 18, 2014

Microsoft reaches settlement with domain operator linked to the Nitol botnet

(LiveHacking.Com) – Microsoft has reached a legal settlement with the hosting company which operated 3322.org, a domain linked to the Nitol botnet. The deal, which was reached with Peng Yong and his company Changzhou Bei Te Kang Mu Software Technology, is the result of an investigation Microsoft conducted into counterfeit Windows PCs made in China.

Microsoft  discovered that consumers in China were buying cheap counterfeit Windows based PCs which came with malware pre-installed. The malware, known as Nitol, was used to run distributed denial of service (DDoS) attacks as well as create backdoors onto the PCs. The domain 3322.org was part of the infrastructure supporting the botnot. Subsequently Microsoft started legal action to take control of the 70,000 malicious subdomains hosted on 3322.org.

The investigation revealed that the malware was not being pre-installed on computers in the factory but rather the cybercriminals had disreputable distributors or resellers load the malware-infected counterfeit software onto the computers before the final delivery to the customer.

Now, Peng Yong has agreed to work with Microsoft and and the Chinese Computer Emergency Response Team (CN-CERT) authorities to stop any further misuse of servers in his company. Any future black-listed domains will be moved into a sinkhole that has been established by CN-CERT. Also Yong is required to fix the systems of anyone affected by the botnet. Microsoft has already started to contact the Nitol victims with the help of the Shadow Server Foundation.

Since taking control of 3322.org, just over two weeks ago, Microsoft has been able to block more than 609 million connections from over 7,650,000 unique IP addresses.

“Fighting botnets will always be a complex and difficult endeavor as cybercriminals find new and creative ways to infect peoples’ computers with malware, whether for financial gain or other nefarious purposes. However, those working to combat cybercrime continue to make progress, and Microsoft remains committed to protecting its customers and services and to making it difficult for cybercriminals to take advantage of innocent people for their dirty work,” wrote assistant general counsel for Microsoft Digital Crimes Unit Richard Domingues Boscovich.

In brief: Microsoft disrupts Nitol botnet

(LiveHacking.Com) – Microsoft has revealed that the U.S. District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware. ‘Operation b70′ significantly limited the spread of the emerging Nitol botnet. It was Microsoft’s second botnet disruption in the last six months.

According to Brian Krebs, the core target of this takedown was 3322.org, a Chinese “dynamic DNS” (DDNS) provider. DDNS providers offer typically free services that allow millions of legitimate users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because dynamic DNS services can be used to easily map the domain name to the user’s new Internet address whenever it happens to change.

“Microsoft is fully committed to protecting consumers by combating the distribution of counterfeit software and working closely with governments, law enforcement and other industry members in these efforts. Our disruption of the Nitol botnet further demonstrates our resolve to take all necessary steps to protect our customers and discourage criminals from defrauding them into using malware infected counterfeit software,” said Microsoft in a statement.