Two weeks ago, I wrote about how a Microsoft study looking into unsecure supply chains led to the discovery of the emerging Nitol botnet, which was hosted by the 3322.org domain. In order to address this threat, Microsoft filed suit to take control of the 70,000 malicious subdomains hosted on 3322.org.
Today, I am pleased to announce that Microsoft has resolved the issues in the case and has dismissed the lawsuit pursuant to the agreement. As part of the settlement, the operator of 3322.org, Peng Yong, has agreed to work in cooperation with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to:
· Resume providing authoritative name services for 3322.org, at a time and in a manner consistent with the terms and conditions of the settlement.
· Block all connections to any of the subdomains identified in a “block-list,” by directing them to a sinkhole computer which is designated and managed by CN-CERT.
· Add subdomains to the block-list, as new 3322.org subdomains associated with malware are identified by Microsoft and CN-CERT.
· Cooperate, to the extent necessary, in all reasonable and appropriate steps to identify the owners of infected computers in China and assist those individuals in removing malware infection from their computers.
The settlement agreement can be found here. Since the case is settled, all evidence and discovery collected during Microsoft’s investigation will be handed over to CN-CERT, who will work with the defendant to identify the people behind the malicious subdomains pursuant to Chinese law. We’re very pleased by this outcome, which will help guarantee that the 70,000 malicious subdomains associated with 3322.org will never again be used for cybercrime.
Of note, in the 16 days since we began collecting data on the 70,000 malicious subdomains, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org subdomains. In addition to blocking connections to the malicious domains, we have continued to provide DNS services for the unblocked 3322.org subdomains. For example, on Sept. 25, we successfully processed 34,954,795 DNS requests for 3322.org subdomains that were not on our block list.
Microsoft began sharing the infected IP information to the Shadow Server Foundation in order to reach as many of the Internet Service Providers (ISPs) whose customers were identified as victims. Also, Microsoft initiated data sharing with more than 40 impacted countries through their respective Computer Emergency Response Teams (CERTs) to accelerate victim clean-up efforts. To keep the momentum in notifying and cleaning victims’ computers ongoing, notification efforts being coordinated between Peng Yong and CN-CERT began on Sept. 26. Similar efforts have already helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos and Zeus botnets.
Operation b70 was Microsoft’s fifth disruptive action against malware as part of its Project MARS (Microsoft Active Response for Security) initiative. As a result of Project MARS, Microsoft and its partners have proactively disrupted some of the most harmful botnets in existence, and significantly helped impact the cybercriminal underground for some time. Cybercriminals operate botnets because they’re profitable, but Microsoft’s actions have dealt continual, unprecedented blows against the illicit infrastructures on which they rely, and each time Microsoft takes away a botnet, these cybercriminals have to start over from scratch, which takes time and money. We believe the action against the Nitol botnet was particularly effective because it disrupted more than 500 different strains of malware – potentially impacting several cybercriminal operations.
Additionally, Operation b70 exposed another way cybercriminals are infecting people’s computers with malware. While there have been some reports that the malware in this case was being installed on computers at the factory, we have no evidence to support this claim. Our study showed that the malware was more likely than not being pre-installed on computers after they had left the factory but before they were delivered to the consumer.
Cybercriminals did and continue to do this by having disreputable distributors or resellers load malware-infected counterfeit software onto computers that have shipped from the PC manufacturer without an operating system, or in some cases, with an operating system that a customer doesn’t want. Those infected computers are then loaded with a desired operating system that is often laden with malware and then sold to unassuming customers. It’s our hope that by shedding light on this new threat vector and bringing it to the attention of original equipment manufacturers and policymakers, this action will have a real impact on cybercriminals’ ability to infiltrate the supply chain in the future.
Fighting botnets will always be a complex and difficult endeavor as cybercriminals find new and creative ways to infect peoples’ computers with malware, whether for financial gain or other nefarious purposes. However, those working to combat cybercrime continue to make progress, and Microsoft remains committed to protecting its customers and services and to making it difficult for cybercriminals to take advantage of innocent people for their dirty work.
Posted by Richard Domingues Boscovich
Assistant General Counsel, Microsoft Digital Crimes Unit