Microsoft applies 'surgical sinkhole' to strangle botnet installed on new PCs

Uncovers out-of-the-box Chinese machines infected with 'Nitol,' uses new DNS sinkhole strategy to kill botnet's comm links

By , Computerworld |  Security, Microsoft

Boscovich relayed the same message yesterday. "Counterfeit software is usually merely an intellectual property issue, which is important," he said. "But this transcends. People, not just a company, are potentially victimized."

Microsoft is unsure where in the Chinese supply chain the malware was introduced, but given the way PCs are purchased there, believes that it's at the point where a retailer adds Windows.

It's unlikely that the malware was planted at the factory, said Boscovich, who said that some of the infected PCs were from brands recognizable to Westerners. He declined to name those manufacturers, however.

"In this particular region [China], most PCs come with the DOS operating system, and customers rely on the retailer to install a more modern operating system," said Boscovich. "Somewhere in the retail supply chain, a retailer puts on Windows."

That's the probable point in the chain where the infections occur.

"The porous nature of the supply chain puts people, consumers and their friends and family, at risk as criminals find new ways to compromise computers," Boscovich said.

Nitol is not a new threat -- it was first discovered in 2008 -- but with tens of thousands of variants this year alone, it's created what Sophos called a "veritable web of cyber criminality."

Boscovich said Microsoft is seeking the names of the individuals who registered the Nitol C&C domains from Peng, as well as those responsible for the 70,000-some malware-hosting subdomains, but has yet to reach Peng. It will identify the machines infected with the bot and refer those IP addresses to the appropriate country's CERT (Computer Emergency Response Team) organization and pertinent ISPs to work with users and customers on cleanup efforts.

The new "surgical" sinkholing tactic, however, may be the longest-lasting affect of Microsoft's Operation b70, said Nominum's Sprosts.

"Bulletproof hosting companies often try to hide behind innocent victims to escape legal action," he said. "This will be a wake-up call for many other [bulletproof hosting firms] that they'd better clean up their act."

Because Microsoft and others can now limit collateral damage, Sprosts said, he anticipated that courts will look more kindly on takedown and sinkhole requests. "[Judges] will see that this is surgical, not a blunt force instrument."

Originally published on Computerworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

Ask a Question