Connect with us

Hi, what are you looking for?



Microsoft Drops Suit Against Nitol Botnet Operator In Exchange for Cooperation

Microsoft Settles with Operators in Nitol Botnet Case

Microsoft Settles with Operators in Nitol Botnet Case

Two weeks ago, Microsoft won a court victory, granting it control over the domain. The domain’s owner Peng Yong and his company, Changzhou Bei Te Kang Mu Software Technology Co., have settled with Microsoft, and in exchange for his help, Microsoft has agreed to drop its lawsuit.

Codenamed Operation b70, Nitol was discovered after Microsoft started looking into insecure supply chains. By gaining control over the domain, the software giant was to command and disable some 70,000 malicious sub-domains.

Research showed that Nitol has been operating on a malicious domain since 2008, and when digging further, they discovered that of the 70,000 malicious sub-domains on, there were more than 500 different strains of malware.

Included in the malware variants were Trojans (backdoors), spy tools (able to steal data and activate microphones and cameras), and basic keylogging kits. On its own, Nitol is a DDoS bot, which according to security experts is a minor threat in the grand scheme of things. However, Microsoft was going for gold and wanted Nitol, as well as all of the other malicious domains, shutdown. 

In exchange for dropping the suit, Peng Yong and his company will work with China’s CERT and resume providing authoritative name services for; so long as it remains consistent with the terms of the settle agreement.

In addition, the cooperation agreement also says that Yong will:

Advertisement. Scroll to continue reading.

• Block all connections to any of the sub-domains identified in a “block-list,” by directing them to a sinkhole computer, which is designated and managed by CN-CERT.

• Add sub-domains to the block-list, as new sub-domains associated with malware are identified by Microsoft and CN-CERT.

• Cooperate, to the extent necessary, in all reasonable and appropriate steps to identify the owners of infected computers in China and assist those individuals in removing malware infection from their computers.

“…in the 16 days since we began collecting data on the 70,000 malicious sub-domains, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious sub-domains. In addition to blocking connections to the malicious domains, we have continued to provide DNS services for the unblocked sub-domains,” Richard Domingues Boscovich, Assistant General Counsel for Microsoft’s Digital Crimes Unit, said in a blog post.

“Also, Microsoft initiated data sharing with more than 40 impacted countries through their respective Computer Emergency Response Teams (CERTs) to accelerate victim clean-up efforts. To keep the momentum in notifying and cleaning victims’ computers ongoing, notification efforts being coordinated between Peng Yong and CN-CERT began on Sept. 26. Similar efforts have already helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos and Zeus botnets.”

Court documents are available here

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...