Microsoft Disrupts ‘Nitol’ Botnet in Piracy Sweep – Krebs on Security

Microsoft said Thursday that it convinced a U.S. federal court to grant it control over a botnet believed to be closely linked to counterfeit versions Windows that were sold in various computer stores across China. The legal victory also highlights a Chinese Internet service that experts say has long been associated with targeted, espionage attacks against U.S. and European corporations.

Microsoft Disrupts ‘Nitol Botnet in Piracy Sweep – Krebs on


Microsoft said it sought to disrupt a counterfeit supply-chain operation that sold knockoff versions of Windows PCs that came pre-loaded with a strain of malware called “Nitol,” which lets attackers control the systems from afar for a variety of nefarious purposes.

In legal filings unsealed Thursday by the U.S. District Court for the Eastern District of Virginia, Microsoft described how its researchers purchased computers from various cities in China, and found that approximately 20 percent of them were already infected with Nitol.

It’s not clear precisely how many systems are infected with Nitol, but it does not appear to be a particularly major threat. Microsoft told the court that it had detected nearly 4,000 instances of Windows computers infected with some version of the malware, but that this number likely represented “only a subset of the number of infected computers.” The company said the majority of Nitol infections and Internet servers used to control the botnet were centered around China, although several U.S. states — including California, New York and Pennsylvania — were home to significant numbers of compromised hosts.

Dubbed “Operation b70” by Microsoft, the courtroom maneuvers are the latest in a series of legal stealth attacks that the software giant has executed against large-scale cybercrime operations. Previous targets included the Waledac, Rustock, Kelihos and ZeuS botnets.

The core target of this takedown was, a Chinese “dynamic DNS” (DDNS) provider. DDNS providers offer typically free services that allow millions of legitimate users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because dynamic DNS services can be used to easily map the domain name to the user’s new Internet address whenever it happens to change.

Unfortunately, these dynamic DNS providers are extremely popular in the attacker community, because they allow bad guys to keep their malware and scam sites up even when researchers mange to track the attacking IP address and convince the ISP responsible for that address to disconnect the miscreant. In such cases, dynamic DNS allows the owner of the attacking domain to simply re-route the attack site to another Internet address that he controls.

Microsoft told the court it found “a staggering 500 different strains of malware hosted on more than 70,000 subdomains” at The court granted Microsoft temporary control over the name servers for that domain. While is owned by a Chinese firm, the dot-org registry is controlled by the Public Interest Registry, a company based in Reston, Va.

Although Microsoft did not explicitly address this in its filing, experts say has long been associated with malware used in highly targeted attacks aimed at stealing corporate and government secrets from U.S. and other Western firms.

“The vast majority of the interactions with the hostnames for those outside of Asia — particularly those in the United States are malicious,” said Steven Adair, a security expert with, a nonprofit that helps ISPs track malware attacks. “While not quite as prevalent now, the domain has been a hot spot for malware used to conduct cyber espionage for several years now. We can already tell this move has had an impact on cyber crime operations.”

But it is not clear how effective this action will be at blocking that activity, or more than temporarily disrupting Nitol’s operations.

Joe Stewart, director of malware research for Dell SecureWorks, posted a message to this morning noting that only 57 percent of the subdomains he’s been tracking as related to targeted, espionage-type attack activity were disrupted by Microsoft’s action.

Part of the problem may be that much of the malware calling home to has instructions built into its genetic makeup to seek out commands and updates from many other dynamic DNS providers not impacted by the court order, said Gunter Ollmann, vice president of research at security firm Damballa.

“What we’ve seen is that we’re currently tracking about 70 different botnets that had command and control domain names within 3322,” Ollmann said. “But all of those have secondary domain name [controllers] outside of”

Potentially complicating matters further, now appears to be instructing affected users on how to get around having their sites redirected to Microsoft’s servers.

Microsoft has made the legal documents related to this case freely available from

Deja un comentario