Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain

Earlier this week, the U.S. District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people. Codenamed “Operation b70,” this legal action and technical disruption proceeded from a Microsoft study which found that cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers. In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet, our second botnet disruption in the last six months.

A supply chain between a manufacturer and a consumer becomes unsecure when a distributor or reseller receives or sells products from unknown or unauthorized sources. In Operation b70, we discovered that retailers were selling computers loaded with counterfeit versions of Windows software embedded with harmful malware. Malware allows criminals to steal a person’s personal information to access and abuse their online services, including e-mail, social networking accounts and online bank accounts. Examples of this abuse include malware sending fake e-mails and social media posts to a victim’s family, friends and co-workers to scam them out of money, sell them dangerous counterfeit drugs, and infect their computers with malware.

What’s especially disturbing is that the counterfeit software embedded with malware could have entered the chain at any point as a computer travels among companies that transport and resell the computer. So how can someone know if they’re buying from an unsecure supply chain? One sign is a deal that appears too good to be true. However, sometimes people just can’t tell, making the exploitation of a broken supply chain an especially dangerous vehicle for infecting people with malware.

Microsoft is fully committed to protecting consumers by combating the distribution of counterfeit software and working closely with governments, law enforcement and other industry members in these efforts. Our disruption of the Nitol botnet further demonstrates our resolve to take all necessary steps to protect our customers and discourage criminals from defrauding them into using malware infected counterfeit software. Given the security risks that malware infections can create, we also need suppliers, resellers, distributors and retailers in the supply chain to do their part in safeguarding people from harmful counterfeit software. They need to adopt and practice stringent policies that ensure that the computers and software they purchase and resell come from trustworthy sources. Policymakers and legislators can work together to better protect people by recognizing this security threat, and looking at ways to deter counterfeit software from making its way into the supply chain.

The discovery and successive action against the Nitol botnet stemmed from a Microsoft study looking into unsecure supply chains. The study confirmed that cybercriminals preload malware infected counterfeit software onto computers that are offered for sale to innocent people. In fact, twenty percent of the PCs researchers bought from an unsecure supply chain were infected with malware. Making matters worse, the malware was capable of spreading like an infectious disease through devices like USB flash drives, potentially causing the victim’s family, friends and co-workers to become infected with malware when simply sharing computer files.

Our research into Nitol uncovered that the botnet was being hosted on a domain linked to malicious activity since 2008. This study also revealed that in addition to hosting b70, 3322.org contained a staggering 500 different strains of malware hosted on more than 70,000 sub-domains. We found malware capable of remotely turning on an infected computer’s microphone and video camera, potentially giving a cybercriminal eyes and ears into a victim’s home or business. Additionally, we found malware that records a person’s every key stroke, allowing cybercriminals to steal a victim’s personal information. The Nitol botnet malware itself carries out distributed denial of service (DDoS) attacks that are able to cripple large networks by overloading them with Internet traffic, and creates hidden access points on the victim’s computer to allow even more malware – or anything else for that matter – to be loaded onto an infected computer.

Microsoft took action against the Nitol botnet as part of our Project MARS (Microsoft Active Response for Security) Program commitment to proactively eliminate malware threats that target our customers and cloud-based services. We filed suit in the U.S. District Court for the Eastern District of Virginia alleging many of the same violations committed by the operators of the Waledac, Rustock and Kelihos botnets.

On Sept. 10, the court granted Microsoft’s request for an ex parte temporary restraining order against Peng Yong, his company and other John Does. The order allows Microsoft to host the 3322.org domain, which hosted the Nitol botnet, through Microsoft’s newly created domain name system (DNS). This system enables Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322.org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption.

This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322.org domain, and will help rescue people’s computers from the control of this malware. All of the legal documentation for this case can be found here. We would like to thank the DNS solutions and security company Nominum, which served as a declarant in the legal case and assisted us in filtering the 3322.org domain traffic.

Cybercriminals have made it clear that anyone with a computer could become an unwitting mule for malware; today’s action is a step toward preventing that. We will continue to work to protect people that use our products and services from these threats and the cybercriminals behind them. In addition, consumers should also exercise their right to demand that resellers provide them with non-counterfeit products free of malware.

If you believe your computer might be infected with malware, we encourage you to visit http://support.microsoft.com/botnets as this site offers free information and tools to analyze and clean your computer.

As this case and the operation are ongoing, we will continue to provide updates as they become available. To stay up-to-date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Posted by Richard Domingues Boscovich
Assistant General Counsel, Microsoft Digital Crimes Unit