News

Microsoft disrupts Nitol botnet, outs hidden PC malware

Robert Westervelt

Microsoft has disrupted the Nitol botnet, gaining control of more than 500 different malware variants that the software giant says were being secretly embedded in counterfeit Windows software being distributed at weak points in the supply chain.

Requires Free Membership to View

Cybercriminals preload malware infected counterfeit software onto computers that are offered for sale to innocent people.

Richard Domingues Boscovich, senior attorney, Microsoft Digital Crimes Unit

The U.S. District Court for the Eastern District of Virginia granted Microsoft the right to disrupt the Nitol botnet by taking control of the 3322.org domain and more than 70,000 sub-domains that host the malware.  The domain, Microsoft said, had been active since 2008. 

The botnet take down represented the second such move in the last six months. In March, it disrupted a portion of the Zeus botnet, sink holing the Zeus IPs seized and identifying the locations of hundreds of thousands of computers infected with Zeus malware.

Action against the Nitol botnet stemmed from a Microsoft study looking into unsecure supply chains. According to the court documents filed by Microsoft, the research took place in August 2011. Forensics investigators purchased 20 PCs in China and after analyzing them, they discovered retailers were selling computers loaded with counterfeit versions of Windows software embedded with hidden malware. The company said 20% of the PCs that researchers bought on the black market were infected with malware.

"The study confirmed that cybercriminals preload malware infected counterfeit software onto computers that are offered for sale to innocent people," wrote Richard Domingues Boscovich, a senior attorney in the Microsoft Digital Crimes Unit. "The malware was capable of spreading like an infectious disease through devices like USB flash drives, potentially causing the victim’s family, friends and co-workers to become infected with malware when simply sharing computer files."

Controlled PCs in Virginia
More than 4,000 Windows machines were discovered infected with the Nitol malware, including several PCs in Fairfax, Va. The malware consisted of rootkits that ran as a background process, opening up a concealed communication channel. Remote access Trojans enabled a cybercriminal virtually complete control of the infected machine. Keylogging Trojans that record key strokes were also detected. The Nitrol case alleges many of the same violations committed by the operators of the Waledac, Rustock and Kelihos botnets, Microsoft said.

Microsoft named Peng Yong and other unnamed suspects and was granted a restraining order, enabling the software maker to host the 3322.org domain through Microsoft's domain name system. The company can then block the communication between the infected machine and the botnet command and control servers.

"This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322.org domain, and will help rescue people’s computers from the control of this malware," Boscovich said.