Chalk up another win for Microsoft’s legal and technical assault on botnet operators.
The company settled its lawsuit with the operator of the 3322.org domain, which hosted some 70,000 malicious sub-domains used to compromise computer systems and control a botnet, known as Nitol that controlled millions of computers.
In exchange, Peng Yong, the operator of 3322.org, has agreed to block access to the domains, collect data on infected systems and to no longer tolerate the use of sub-domains for malicious purposes in the future, according to a Microsoft post.
While a botnet operator could reconstitute the network of compromised systems on a different hosting service, Microsoft has disrupted the cyber-criminals’ operation and convinced another hosting provider to settle with the company, showing its combination of legal attacks and technical takedowns work, says Richard Boscovich, assistant general counsel for the company’s Digital Crimes Unit.
“Until now, everybody was talking about 3322.org—all these research companies looking at it and making these observations [of its malicious activities]—but it was still there, out in the open; they never did anything,” Boscovich said. “So does it make a difference? Absolutely.”
The settlement ends the company’s three week takeover of the 3322.org domain, which Microsoft operated since Sept. 12 to ensure that the more than 2 million legitimate sub-domains on the site remained connected to the Internet, while filtering out traffic to the malicious sub-domains. In the past 16 days, computers coming from more than 7.5 million Internet addresses attempted to connect back to the malicious sub-domains, a sign that the systems were infected.
About half of computers compromised with the Nitol bot software used the 3322.org sub-domains to receive commands, Microsoft stated in a research report on the botnet. Microsoft first became aware of Nitol spreading in China in February 2011. The company found that computers purchased locally in China often shipped with malware already on them. Of 20 systems purchased by the company in China, all had compromised security and four had already been infected with malware.
This is the second time that a court order has brought a hosting provider to Microsoft’s negotiating table. In September 2011, the company filed a lawsuit against Dominique Piatti, owner of the DotFree Group in the Czech Republic, in a similar complaint. A month later, Piatti settled with Microsoft.
“In both cases, we have started to set the benchmark as to what domains owners need to do,” Boscovich said. “A responsible domain owner has to be more vigilant as to what they are hosting. This is a warning to them.”
While such takedowns may seem like a drop in the bucket of worldwide cyber-crime, the registrars and hosting providers that either knowingly or inadvertently harbor botnet operations will take note, said Craig Sprosts, general manager of fixed broadband solutions for domain-name infrastructure provider Nominum.
“The registrars have some customers that they look the other way on, and they knew that they were hosting malware. But there was not an easy way to go after them and take the domains offline,” Sprosts said. “This is sending a very strong signal that hosting criminal activity is not acceptable.”