Security Experts:

Microsoft Drops Suit Against Nitol Botnet Operator In Exchange for Cooperation

Microsoft Settles with 3322.org Operators in Nitol Botnet Case

Two weeks ago, Microsoft won a court victory, granting it control over the 3322.org domain. The domain’s owner Peng Yong and his company, Changzhou Bei Te Kang Mu Software Technology Co., have settled with Microsoft, and in exchange for his help, Microsoft has agreed to drop its lawsuit.

Codenamed Operation b70, Nitol was discovered after Microsoft started looking into insecure supply chains. By gaining control over the 3322.org domain, the software giant was to command and disable some 70,000 malicious sub-domains.

Research showed that Nitol has been operating on a malicious domain since 2008, and when digging further, they discovered that of the 70,000 malicious sub-domains on 3322.org, there were more than 500 different strains of malware.

Included in the malware variants were Trojans (backdoors), spy tools (able to steal data and activate microphones and cameras), and basic keylogging kits. On its own, Nitol is a DDoS bot, which according to security experts is a minor threat in the grand scheme of things. However, Microsoft was going for gold and wanted Nitol, as well as all of the other malicious domains, shutdown. 

In exchange for dropping the suit, Peng Yong and his company will work with China’s CERT and resume providing authoritative name services for 3322.org; so long as it remains consistent with the terms of the settle agreement.

In addition, the cooperation agreement also says that Yong will:

• Block all connections to any of the sub-domains identified in a “block-list,” by directing them to a sinkhole computer, which is designated and managed by CN-CERT.

• Add sub-domains to the block-list, as new 3322.org sub-domains associated with malware are identified by Microsoft and CN-CERT.

• Cooperate, to the extent necessary, in all reasonable and appropriate steps to identify the owners of infected computers in China and assist those individuals in removing malware infection from their computers.

“...in the 16 days since we began collecting data on the 70,000 malicious sub-domains, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org sub-domains. In addition to blocking connections to the malicious domains, we have continued to provide DNS services for the unblocked 3322.org sub-domains,” Richard Domingues Boscovich, Assistant General Counsel for Microsoft's Digital Crimes Unit, said in a blog post.

“Also, Microsoft initiated data sharing with more than 40 impacted countries through their respective Computer Emergency Response Teams (CERTs) to accelerate victim clean-up efforts. To keep the momentum in notifying and cleaning victims’ computers ongoing, notification efforts being coordinated between Peng Yong and CN-CERT began on Sept. 26. Similar efforts have already helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos and Zeus botnets.”

Court documents are available here

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.