Microsoft said Thursday that it convinced a U.S. federal court to grant it control over a botnet believed to be closely linked to counterfeit versions Windows that were sold in various computer stores across China. The legal victory also highlights a Chinese Internet service that experts say has long been associated with targeted, espionage attacks against U.S. and European corporations.
Microsoft said it sought to disrupt a counterfeit supply-chain operation that sold knockoff versions of Windows PCs that came pre-loaded with a strain of malware called “Nitol,” which lets attackers control the systems from afar for a variety of nefarious purposes.
In legal filings unsealed Thursday by the U.S. District Court for the Eastern District of Virginia, Microsoft described how its researchers purchased computers from various cities in China, and found that approximately 20 percent of them were already infected with Nitol.
It’s not clear precisely how many systems are infected with Nitol, but it does not appear to be a particularly major threat. Microsoft told the court that it had detected nearly 4,000 instances of Windows computers infected with some version of the malware, but that this number likely represented “only a subset of the number of infected computers.” The company said the majority of Nitol infections and Internet servers used to control the botnet were centered around China, although several U.S. states — including California, New York and Pennsylvania — were home to significant numbers of compromised hosts.
Dubbed “Operation b70” by Microsoft, the courtroom maneuvers are the latest in a series of legal stealth attacks that the software giant has executed against large-scale cybercrime operations. Previous targets included the Waledac, Rustock, Kelihos and ZeuS botnets.
The core target of this takedown was 3322.org, a Chinese “dynamic DNS” (DDNS) provider. DDNS providers offer typically free services that allow millions of legitimate users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because dynamic DNS services can be used to easily map the domain name to the user’s new Internet address whenever it happens to change.
Unfortunately, these dynamic DNS providers are extremely popular in the attacker community, because they allow bad guys to keep their malware and scam sites up even when researchers mange to track the attacking IP address and convince the ISP responsible for that address to disconnect the miscreant. In such cases, dynamic DNS allows the owner of the attacking domain to simply re-route the attack site to another Internet address that he controls.
Microsoft told the court it found “a staggering 500 different strains of malware hosted on more than 70,000 subdomains” at 3322.org. The court granted Microsoft temporary control over the name servers for that domain. While 3322.org is owned by a Chinese firm, the dot-org registry is controlled by the Public Interest Registry, a company based in Reston, Va.
Although Microsoft did not explicitly address this in its filing, experts say 3322.org has long been associated with malware used in highly targeted attacks aimed at stealing corporate and government secrets from U.S. and other Western firms.
“The vast majority of the interactions with the 3322.org hostnames for those outside of Asia — particularly those in the United States are malicious,” said Steven Adair, a security expert with Shadowserver.org, a nonprofit that helps ISPs track malware attacks. “While not quite as prevalent now, the 3322.org domain has been a hot spot for malware used to conduct cyber espionage for several years now. We can already tell this move has had an impact on cyber crime operations.”
But it is not clear how effective this action will be at blocking that activity, or more than temporarily disrupting Nitol’s operations.
Joe Stewart, director of malware research for Dell SecureWorks, posted a message to Twitter.com this morning noting that only 57 percent of the subdomains he’s been tracking as related to targeted, espionage-type attack activity were disrupted by Microsoft’s action.
Part of the problem may be that much of the malware calling home to 3322.org has instructions built into its genetic makeup to seek out commands and updates from many other dynamic DNS providers not impacted by the court order, said Gunter Ollmann, vice president of research at security firm Damballa.
“What we’ve seen is that we’re currently tracking about 70 different botnets that had command and control domain names within 3322,” Ollmann said. “But all of those have secondary domain name [controllers] outside of 3322.org.”
Potentially complicating matters further, 3322.org now appears to be instructing affected users on how to get around having their sites redirected to Microsoft’s servers.
Microsoft has made the legal documents related to this case freely available from noticeofpleadings.com.