Blog
Rahul Thadani

Microsoft disrupts major botnet by blocking malicious domain

September 18, 2012
3
Estimated reading time: 2 minutes

Microsoft recently won a court order to host “3322.org”, a nefarious Internet domain based in China, with its own dynamic DNS. The malicious domain hosts around 70,000 malicious subdomains and generates close to 500 different strains of malware that are distributed via counterfeit software. One of the most infamous botnets to originate from this source was ‘Nitol’ and now Microsoft completely intercepts and blocks all malicious activity from this source.

Nitol commonly used fake software distribution channels (especially for Windows) to spread different strains of malware and this is what led Microsoft to take action against the 3322.org domain. The legal operation (Operation b70) was granted credence by the “U.S. District Court for the Eastern District of Virginia” who then allowed the ‘Microsoft Digital Crimes Unit’ to take over the malicious domain. Microsoft had initially carried out a study about insecure supply chains that led to distribution of counterfeit software infected with malware and this is what led to the discovery of this malicious domain that is hosted in China.

This is Microsoft’s second botnet takedown in the last 6 months and it is a noteworthy attempt by them to protect innocent victims. These victims are commonly afflicted by fake software distributed through unauthorized supply chains. Such botnets are traditionally dangerous because they not only affect the victim without his knowledge, but spread to most of his contacts through emails, social networks, USB devices and other mediums.

Quick Heal detects 3322.org subdomains
Quick Heal, the best system protection software, has observed this domain in the past and has released alerts about various trojans and other malware that originates from the same. This includes Backdoor.Hupigon.xda, TrojanDownloader.Agent.brns and TrojanDropper.Small.avc.

The Nitol botnet malware has also carried out several DDoS attacks that overload large networks with Internet traffic which ultimately cripples them. Subsequently, it also created additional access points on infected machines so that new malware strains could enter the machine through other sources.

This successful action by Microsoft reduces the impact of Nitol and the 3322.org domain and potentially saves millions of people from being targeted. Insecure supply chains are a common method of infecting unaware victims and this is the first of many steps to prevent such attacks.

Have something to add to this story? Share it in the comments.

Rahul Thadani
About Rahul Thadani
Rahul is a web enthusiast and blogger, and has been writing about the computer security industry for the last three years. Following the latest technology trends,...
Articles by Rahul Thadani »

3 Comments

Your email address will not be published.

CAPTCHA Image

  1. Thanks Rahul for information,
    Really very nice information.

    Additional Information:
    The investigation by Microsoft’s digital crimes unit began in August 2011 as a study into the sale and distribution of counterfeit versions of Windows. Microsoft employees in China bought 20 new computers from retailers and took them back to a home with an Internet connection.

    They found forged versions of Windows on all the machines and malware pre-installed on four. The one with Nitol, however, was the most alarming because the malware was active.

    The system was made by Hedy, a computer manufacturer in Guangzhou, China, according to the court records. The company, reached by phone, declined to answer questions.

    Reply
  2. Thanks alot rahul,
    for detailed explanation and lightening the very important information about Nitol.

    Reply
  3. Thanx alot Mr.Rahul for this brief and nice explanation of such recent issue of Nitol.

    Reply