Microsoft disrupts botnet malware that was preinstalled on new PCs

By on September 13, 2012, 2:00 PM

Microsoft has disrupted an emerging botnet along with more than 500 strains of malware after taking control of a malicious .org domain this week. Last August, Microsoft learned that many systems sold in China were preloaded with malware, including strains linked to Nitol, a botnet the company had been investigating.

Microsoft's Digital Crimes Unit (DCU) purchased 20 computers (split between laptops and desktops) from several sources in China. One of the systems contained Nitol malware, while three others had different infections. Microsoft determined that the computers were infected via counterfeit versions of Windows laced with malware, presumably installed by cybercriminals at unsecure points throughout the supply chain.

Of the four compromised PCs, only the Nitol-containing system attempted to contact a command and control server, so that's where DCU focused its efforts. The group gathered all sorts of technical information on Nitol, a summary of which you can read here (PDF). The most important detail is that Microsoft tracked the botnet to the domain 3322.org, which also turned out to be a haven for other forms of malware.

"In addition to hosting b70, 3322.org contained a staggering 500 different strains of malware hosted on more than 70,000 sub-domains," assistant general counsel of Microsoft's Digital Crimes Unit Richard Domingues Boscovich said. The malware included variants that could remotely enable a computer's microphone and webcam, record a user's keystrokes, participate in distributed denial-of-service (DDoS) attacks and more.

Senior manager David Anselmi pictured in the DCU labs (credit: AP/Elaine Thompson)

On September 10, Microsoft obtained a US court order to seize 3322.org along with an ex parte temporary restraining order against its registered owner, Peng Yong, as well as his company and other John Does. In doing so, Microsoft has been able to block the operation of Nitol along with the 70,000 malicious subdomains. It's unclear how many innocent users are involved, but Microsoft says over 37 million malware connections have been blocked from 3322.org since the company gained control of the domain.

This marks Microsoft's second botnet takedown in six months and the fourth in less than three years. In February 2010, the company aided security experts and law enforcement with disabling Waledac, one of the 10 largest botnets in the US at the time. Microsoft claimed another scalp last March when it tackled Rustock, a botnet that had been composed of more than a million infected machines worldwide. The company helped shut down the 41,000-strong Kelihos botnet last September, and in March of this year, Microsoft sued 39 individuals involved with the operation of Zeus, malware suspected of infecting over 13 million PCs.




User Comments: 5

Got something to say? Post a comment
Zeromus said:

Yay, hope they keep up the good work.

EEatGDL said:

Wow, I didn't know they have that. Pretty much appreciated they invest money on that.

Trillionsin Trillionsin said:

Is that a razor keyboard? lol

1 person liked this | SalaSSin said:

Is that a razor keyboard? lol

If you're talking about the closest: nope, that's a MS Sidewinder X6.

The one in the back looks like a MS Wired 600.

PinothyJ said:

Innocent users? This is akin to calling someone who runs out of gas unlucky.

Computers are very dangerous things: if you do not know how to use one than you should learn...

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.