Microsoft Takes Aim At Nitol Botnet


A gap in security from within the PC supply chain has led Microsoft to take action against a botnet known as Nitol. The Redmond Washington-based software vendor has also been given court authority to assume control of the 3322.org domain and approximately 70,000 subdomains that are believed to be hosting the attacks.

It is believed that the malware was loaded, from some undetermined point in the supply chain, onto brand-new PCs produced in China, which were then distributed across the globe in an already-infected state. The same machines also appear to be running counterfeit versions of Windows.

Most of the infections have been found in China, but approximately 10 percent of the devices are believed to have been shipped to the United States. Most of the command-and-control servers are believed to be located in China.

[Related: McAfee Sees Biggest Malware Increase in Four Years]

"What’s especially disturbing is that the counterfeit software embedded with malware could have entered the chain at any point as a computer travels among companies that transport and resell the computer," said Microsoft Assistant General Counsel Richard Domingues Boscovich in a published blog. "So how can someone know if they’re buying from an unsecure supply chain? One sign is a deal that appears too good to be true. However, sometimes people just can’t tell, making the exploitation of a broken supply chain an especially dangerous vehicle for infecting people with malware."

It is believed that the malware facilitates a wide range of exploits and vulnerabilities such as denial of service attacks, root kits, key loggers, backdoors, etc., leveraging 500 strains of malware.

"Microsoft took action against the Nitol botnet as part of our Project MARS (Microsoft Active Response for Security) Program commitment to proactively eliminate malware threats that target our customers and cloud-based services," the blog continued. "We filed suit in the U.S. District Court for the Eastern District of Virginia alleging many of the same violations committed by the operators of the Waledac, Rustock and Kelihos botnets."

The investigation has been underway for approximately one year after malware was found on a series of computers manufactured in several locations in China. It is further believed that the attack was spread through USB drives.

The initiative, known as "Operation b70," represents Microsoft's second move against a botnet this year. The previous attempt was aimed at the Zeus botnet in March.

PUBLISHED SEPT. 13, 2012