Microsoft applies 'surgical sinkhole' to strangle botnet installed on new PCs

Uncovers out-of-the-box Chinese machines infected with 'Nitol,' uses new DNS sinkhole strategy to kill botnet's comm links

By , Computerworld |  Security, Microsoft

Microsoft's take on 3322.org is unclear. In a complaint filed on Sept. 10 with a Virginia federal court, Microsoft called the domain a "major hub of illegal Internet activity, used by criminals every minute of every day to pump malware and instructions to the computers of innocent people world-wide."

Boscovich, however, seemed willing to give its owner, Peng Yong, the benefit of the doubt. "We're reached out to the domain owner, not only to serve him [with the complaint] but also to work with him."

In an interview with the Associated Press Wednesday, Peng denied the allegations and said his company does not tolerate improper conduct on 3322.org.

But 3322.org has been fingered by security experts as a haven for malware websites, a so-called "bulletproof" hosting company, named that because it's supposedly impervious to takedown.

Zcaler, for instance, has claimed that 3322.org accounted for 17% of the world's malicious URL traffic, while Kaspersky Lab has said that 40% of all malware has, at one point or another, connected to the domain.

"This is one of the most prevalent call-home locations used by malware in the Nitol family," said Paul Duckin of Sophos, in a Friday blog post, referring to 3322.org.

Microsoft discovered the Nitol-new PC connection last year when Boscovich's team purchased 20 new desktop and laptop PCs in China, and found all 20 using counterfeit copies of Windows XP or Windows 7.

Four of the PCs had malware pre-installed, and while three of those machines' threats were inactive, the fourth immediately connected to a Nitol C&C server for instructions.

It wasn't an accident that Microsoft uncovered the supply chain plot.

"We're always looking at different aspects of how people get infected, and there's always some discussion here of getting infected through counterfeit OSes," said Boscovich. "We wondered, 'How bad is this situation? People are getting more astute about security, so what are the criminals trying to do now?' We heard that the supply chain was an area where malware could be introduced. But I was somewhat surprised that we found malware-infected machines so quickly."

Microsoft has warned customers that counterfeit copies of Windows pose a threat for years -- a message many see as cover for a greater concern for its own business interests.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness