Operation b70: Microsoft Reaches Settlement with Defendants in Nitol Botnet Case – Q & A


Operation b70: Microsoft Reaches Settlement with Defendants in Nitol Botnet Case

 

Key Messages

 

  • Microsoft reached a settlement with the defendants in the Nitol botnet case and will be dismissing the lawsuit pursuant to the agreement.
    • Valuable evidence and intelligence gained in the operation will be used to help rescue people’s computers from the control of the malware associated with 3322.org and to support Microsoft’s ongoing effort to undermine cybercriminal organizations.
    • Unsecure supply chains expose people and public institutions to the perilous dangers of malware.

 

Settlement Q&A

 

Q: What are you announcing today?

A: In the legal case supporting the disruption of Nitol and 500 additional strains of malware, Microsoft sued defendants Peng Yong, Changzhou Bei Te Kang Mu Software Technology Co., Ltd., and other John Does, alleging they were responsible for operating the 3322.org domain that was hosting the command and control server for the botnet and other malware variants. 

 

On Thursday, September 26, 2012, Microsoft resolved the issues in the case and dismissed the lawsuit pursuant to the agreement. As part of the settlement, the operator of the domain, Peng Yong, has agreed to a number of terms, including to cooperate with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to:

 

  • Resume providing authoritative name services for 3322.org, at a time and in a manner consistent with the terms and conditions of the settlement.
  • Block all connections to any of the subdomains identified in a “block-list,” by directing them to a sinkhole computer which is designated and managed by CN-CERT.
  • Add subdomains to the block-list as new 3322.org subdomains associated with malware are identified by Microsoft and CN-CERT.
  • Cooperate, to the extent necessary, in all reasonable and appropriate steps to identify the owners of infected computers in China and to assist those individuals in removing malware infections from their computers.

 

The settlement agreement can be found here. Microsoft is very pleased by this outcome as it will help guarantee that the 70,000 malicious subdomains associated with 3322.org will never again be used for cybercrime.

 

Q: Are you dropping the suit against John Does 1-3?

A: Since the case is settled, all evidence and discovery collected during Microsoft’s investigation will be handed over to CN-CERT, who will work with the defendants to identify the people behind the malicious subdomains pursuant to Chinese law.

 

Q: Who do you believe is responsible for the Nitol botnet?

A: As alleged in the complaint and supporting declarations, we believe Peng Yong, his company, and other John Does were responsible for operating the 3322.org domain hosting the command and control server for the botnet malware.

 

Since the case is settled, all evidence and discovery collected during Microsoft’s investigation will be handed over to CN-CERT, who will work with the defendants to identify the people behind the malicious subdomains pursuant to Chinese law.

 

Q: Do you believe Peng Yong, his company, and the John Does listed as defendants in the case are the primary operators of the Nitol botnet?

A: As alleged in the complaint and supporting declarations filed in September, we believe Peng Yong, his company, and the other John Does were responsible for operating the 3322.org domain that was hosting the command and control server for the botnet malware.

 

Since the disruption of Nitol, we have been in talks with Mr. Yong and his company. As part of this discussion, Mr. Yong and his company have agreed to cooperate with Microsoft and to work with the Chinese Computer Emergency Response Team (CNCERT) to complete a series of steps to block all malicious connections to the 3322.org domain or sub-domains and to prevent malware infections associated with the domain. The settlement agreement can be found here.

 

Since the case is settled, all evidence and discovery collected during Microsoft’s investigation will be handed over to CN-CERT, who will work with the defendants to identify the people behind the malicious subdomains pursuant to Chinese law.

 

Q: Did Peng Yong and/or his company pay Microsoft as part of the settlement?

A: There was no money exchanged as part of the settlement. 

 

Q: Is this the first time you and Microsoft have seen pre-installed botnets?

A: Yes, this is the first time Microsoft’s Digital Crimes Unit has seen malware being preinstalled on computers before they are shipped to the consumer. It is important to note that while there have been some reports that the malware in this case was being installed on computers at the factory, we have no evidence to support this claim. Our study showed that the malware was more than likely being pre-installed on computers after they had left the factory but before they were delivered to the consumer.

 

Q: Did you inspect other devices for pre-installed botnets, such as smartphones? If not, can you offer any assurance that other devices are safe?

A: As DCU’s study only involved computers – the 20 purchased from PC malls – we cannot definitively say that mobile devices, or other digital products, are also preinstalled with malware by the distributor or reseller. However, if a person purchases a non-genuine device or a device that is distributed through an unsecure supply chain, there’s no way of knowing exactly what you’re also getting.

 

Q: Can you tell me approximately how many computers Microsoft obtained from the unsecure supply chain? About how many computers total do you believe could be infected? 

A: DCU researchers purchased 20 new computers, ten laptops and ten desktops, from PC malls with counterfeit software preinstalled by the distributor or reseller. They examined and documented the files on these PCs and found malware on four of the 20 computers, an infection rate of 20 percent. 

 

Of note, for the 16 days since Microsoft began collecting data on the 70,000 malicious subdomains on September 11, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org subdomains. In addition to blocking connections to the malicious subdomains, we have continued to provide DNS services for the remaining legitimate 3322.org subdomains. For example, on September 25, Microsoft successfully processed nearly 35 million DNS requests for 3322.org subdomains that were not on our block list.  

 

Q: Were these computers being only being sold to consumers in China? Or might they have ended up in some other regions? 

A: While the majority of Nitol infections are located in China, as alleged in the complaint and further supported by the data collected in our sinkhole operation, this botnet is a global threat. Additionally, because this malware spreads through removable media like USB flash dives, this malware has the potential to spread quickly and quietly, potentially causing insurmountable amount of damage to people, businesses, and public networks worldwide.

 

Q: Do you know if the majority of these computers were being sold to consumers? Were there any large corporates or medium-sized businesses that purchase a bulk amount of these PCs for their offices?

A: For its study, Microsoft purchased computers at what are referred to as PC Malls in China.  We did this because we wanted to get a sampling of what an average consumer in China would get if they bought a new computer. Microsoft cannot speculate whether or not large corporations or medium-sized businesses have purchased a bulk amount of these PC’s for their offices, but as our study showed, these computers are available to Chinese consumers for purchase.

 

Q: What is an unsecure supply chain and where in the supply chain is the malware being loaded onto computers?

A: A secure supply chain is a system that transports a genuine product from the manufacturer to the consumer using authorized and trustworthy manufacturers, distributors, transporters, and resellers.  A supply chain between a manufacturer and a consumer becomes unsecure when a distributor or reseller receives or sells products from unknown or unauthorized sources. In Operation b70, we discovered that retailers were selling computers loaded with counterfeit versions of Windows software embedded with harmful malware. It is believed that the computers in this case became infected after the devices left the factory as many Chinese computers are shipped with DOS (disk operating system) and operating systems are installed later.

 

Q: Did the takedown of the subdomains associated to the Nitol malware take any legitimate subdomains offline?

A:  No. Because the court order pointed the 3322.org domain towards Microsoft’s newly created domain name system (DNS), any legitimate subdomains that were operating on the 3322.org domain will continue to function as they had prior to this action as Microsoft will reroute traffic to these subdomains. Microsoft will continue to keep these domains operational until a resolution has been reached to transfer the subdomains to a new, legitimate domain. Of note, Microsoft created its own DNS in part to mitigate any collateral damage resulting from its botnet operations. 

 

Of note, for the 16 days since Microsoft began collecting data on the 70,000 malicious subdomains on September 11, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org subdomains. In addition to blocking connections to the malicious subdomains, we have continued to provide DNS services for the remaining legitimate 3322.org subdomains. For example, on September 25, Microsoft successfully processed nearly 35 million DNS requests for 3322.org subdomains that were not on our block list.  

 

Microsoft began sharing the infected IP information to the Shadow Server Foundation in order to reach as many of the Internet Service Providers (ISPs) whose customers were identified as victims. Also, Microsoft initiated data sharing with more than 40 impacted countries through their respective Computer Emergency Response Teams (CERTs) to accelerate victim clean-up efforts. To keep the momentum in notifying and cleaning victims’ computers ongoing, notification efforts being coordinated between Peng Yong and CN-CERT began on Sept. 26. Similar efforts have already helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos and Zeus botnets.

 

Q: Is there any way of knowing if your computer is infected?

A: For computer owners worried that their computers might be infected, Microsoft offers free information and malware cleaning tools at http://support.microsoft.com/botnets that can help people remove Nitol and other malware from their computers.  We encourage all computer users to exercise safe practices, such as running up-to-date and legitimate software and using protections like a firewall and anti-virus/anti-malware programs.  People should also exercise caution when surfing the web, clicking on ads or email attachments that may prove to be malicious. More information about staying safe online can be found at http://www.microsoft.com/protect

 

It’s important to note that, unfortunately, while there are tools to help determine whether a product is genuine, sometimes it will not be clear. This is why the exploitation of an unsecured supply channel is especially dangerous.  Microsoft’s How to Tell website contains a wealth of information about how to determine whether Microsoft software is genuine, including pre-purchase checklists, product information, and visual examples of Certificates of Authenticity (COAs), installation media, and product packaging, including piracy prevention features. Meanwhile, the best way to purchase software is from an authorized reseller who sells only genuine software. To locate a reputable reseller, businesses can use local resources such as a Chamber of Commerce, the Better Business Bureau, and consumer publications, or find local Microsoft reseller contact information online at Microsoft’s Midsize Business Center, Small Business Center, or the Business & Industry websites.

 

Original Announcement Q&A

 

Q: What are you announcing today?

A: Today, based on its knowledge from its previous successful botnet takedowns (e.g. Waledac, Rustock, Kelihos), Microsoft has significantly helped stop the spread of the developing Nitol botnet and more than 500 different strains of additional malware with the potential to target millions of innocent people.  Codenamed “Operation b70,” this action exposes an emerging  tactic cybercriminals are taking advantage of to abuse unsecured supply chains and secretly plant malware on people’s computers to allow criminals to steal money and personal information and to use email and social media accounts to subsequently harm their family, friends or co-workers.

 

The discovery and successive action against the Nitol botnet resulted from a Microsoft study looking into unsecured supply chains and confirmed that cybercriminals are preloading computer hardware with counterfeit software that is infected with malware and sold to unsuspecting customers.  In fact, four of the twenty computers our researchers bought from an unsecured supply chain were infected with malware – that’s a twenty percent infection rate. Making matters worse, the malware can often spread through devices like USB flash drives, transforming the innocent file exchange into an infectious and dangerous transaction.  This allows malware to spread much like an infectious disease, except there are no visible symptoms to alert a person that they’re in danger or that they could spread the infection to any one or any business that an infected person comes into contact with online.

 

As part of Microsoft’s ongoing commitment to proactively eliminate these threats, especially those that target online products and cloud-based services like email and online banking, we used the legal model developed under the Project MARS (Microsoft Active Response for Security) Program and filed suit in the U.S. District Court for the Eastern District of Virginia alleging many of the same violations committed by the operators of the Waledac, Rustock and Kelihos botnets.  On September 10, 2012, the court granted Microsoft’s request for an ex parte temporary restraining order (TRO) against Peng Yong, his company, and other John Does, to disrupt the Nitol botnet and more than 500 different types of malware, allowing Microsoft to run the 3322.org domain, which hosted the Nitol botnet, through Microsoft’s newly created domain name system (DNS). This system enabled Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322.org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption.  This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322.org domain and will help rescue people’s computers from the control of this malware making the Internet a safer place for people and online services.   

 

UPDATE: On September 26, 2012, Microsoft resolved the issues in the case and dismissed the lawsuit pursuant to the agreement. As part of the settlement, the operator of the domain, Peng Yong, has agreed to a number of terms, including to cooperate with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to complete a series of steps to block all malicious connections to the 3322.org domain or sub-domains and to prevent malware infections associated with the domain. The settlement agreement can be found here.

 

Of note, for the 16 days since Microsoft began collecting data on the 70,000 malicious subdomains on September 11, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org subdomains. In addition to blocking connections to the malicious subdomains, we have continued to provide DNS services for the remaining legitimate 3322.org subdomains. For example, on September 25, Microsoft successfully processed nearly 35 million DNS requests for 3322.org subdomains that were not on our block list.  

 

Microsoft began sharing the infected IP information to the Shadow Server Foundation in order to reach as many of the Internet Service Providers (ISPs) whose customers were identified as victims. Also, Microsoft initiated data sharing with more than 40 impacted countries through their respective Computer Emergency Response Teams (CERTs) to accelerate victim clean-up efforts. To keep the momentum in notifying and cleaning victims’ computers ongoing, notification efforts being coordinated between Peng Yong and CN-CERT began on Sept. 26. Similar efforts have already helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos and Zeus botnets.

 

IF ASKED: Since the case is settled, all evidence and discovery collected during Microsoft’s investigation will be handed over to CN-CERT, who will work with the defendants to identify the people behind the malicious subdomains pursuant to Chinese law.

 

Q: How did you do this?

A: Because the technical requirements and conditions of Operation b70 are very similar to those in Kelihos botnet takedown, Microsoft used the legal mechanism it established in the successful Kelihos case to disrupt the Nitol botnet and more than 500 different types of malware. Specifically, Microsoft sought an ex parte temporary restraining order (TRO) from the U.S. District Court for the Eastern District of Virginia against Peng Yong, his company, and other John Does using some of the violations claimed in its prior botnet cases. On September 10, 2012, the court granted Microsoft’s request. In response to the granted TRO, the Public Internet Registry, as the registrant for all .org domains, will begin pointing the 3322.org domain, which hosts the Nitol botnet, to Microsoft’s newly created domain name system (DNS). This will allow Microsoft to disrupt the Nitol botnet as well as the nearly 70,000 malicious subdomains that are also hosted on the 3322.org domain. Meanwhile, Microsoft will begin routing all of the malicious 3322.org subdomains to the Microsoft DNS system, a process known as sinkholing, in order to collect valuable evidence and intelligence that will be used to help clean people’s computers from Nitol and the other types of malware operating on the 3322.org domain.

 

This operation further supports Microsoft’s ongoing effort to undermine the cybercriminal organization and to help identify those responsible for the botnet. Also, because the domain will now be pointing toward Microsoft’s DNS, any legitimate subdomains operating on the 3322.org domain will continue to function as they had prior to this action as Microsoft will reroute traffic to these subdomains. Microsoft will continue to keep these domains operational until a resolution has been reached to transfer the subdomains to a new, legitimate domain. Of note, Microsoft created its new DNS in part to mitigate any collateral damage resulting from its botnet operations. 

 

Microsoft will also begin working with Internet Service Providers (ISPs) and Computer Emergency Response Teams (CERTs) around the world to undo the damage caused by Nitol and the more than 500 different types of malware hosted on the 3322.org domain by helping people clean their infected computers. 

 

UPDATE: On September 26, 2012, Microsoft resolved the issues in the case and dismissed the lawsuit pursuant to the agreement. As part of the settlement, the operator of the domain, Peng Yong, has agreed to a number of terms, including to cooperate with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to complete a series of steps to block all malicious connections to the 3322.org domain or sub-domains and to prevent malware infections associated with the domain. The settlement agreement can be found here.

 

Of note, for the 16 days since Microsoft began collecting data on the 70,000 malicious subdomains on September 11, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org subdomains. In addition to blocking connections to the malicious subdomains, we have continued to provide DNS services for the remaining legitimate 3322.org subdomains. For example, on September 25, Microsoft successfully processed nearly 35 million DNS requests for 3322.org subdomains that were not on our block list.  

 

Microsoft began sharing the infected IP information to the Shadow Server Foundation in order to reach as many of the Internet Service Providers (ISPs) whose customers were identified as victims. Also, Microsoft initiated data sharing with more than 40 impacted countries through their respective Computer Emergency Response Teams (CERTs) to accelerate victim clean-up efforts. To keep the momentum in notifying and cleaning victims’ computers ongoing, notification efforts being coordinated between Peng Yong and CN-CERT began on Sept. 26. Similar efforts have already helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos and Zeus botnets.

 

IF ASKED: Since the case is settled, all evidence and discovery collected during Microsoft’s investigation will be handed over to CN-CERT, who will work with the defendants to identify the people behind the malicious subdomains pursuant to Chinese law.

 

Q:  How many domains and subdomains did you take down?

A:  As outlined in the court order, Microsoft took control of the 3322.org domain, allowing us to disrupt the Nitol botnet and the other malicious subdomains hosted on the 3322.org domain. In total, Microsoft severed nearly 70,000 malicious subdomains, all of which were associated with the 3322.org domain.  Because the domain is now pointing towards Microsoft’s domain name system (DNS), any legitimate subdomains that were operating on the 3322.org domain will continue to function as they had prior to the disruption as Microsoft will reroute traffic to these subdomains.

 

Microsoft created its own DNS in part to mitigate any collateral damage resulting from its botnet operations. Microsoft will continue to keep these domains operational until a resolution has been reached to transfer the subdomains to a new, legitimate domain.

 

UPDATE: On September 26, 2012, Microsoft resolved the issues in the case and dismissed the lawsuit pursuant to the agreement. As part of the settlement, the operator of the domain, Peng Yong, has agreed to a number of terms, including to cooperate with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to complete a series of steps to block all malicious connections to the 3322.org domain or sub-domains and to prevent malware infections associated with the domain. The settlement agreement can be found here.

 

Of note, for the 16 days since Microsoft began collecting data on the 70,000 malicious subdomains on September 11, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org subdomains. In addition to blocking connections to the malicious subdomains, we have continued to provide DNS services for the remaining legitimate 3322.org subdomains. For example, on September 25, Microsoft successfully processed nearly 35 million DNS requests for 3322.org subdomains that were not on our block list.  

 

Microsoft began sharing the infected IP information to the Shadow Server Foundation in order to reach as many of the Internet Service Providers (ISPs) whose customers were identified as victims. Also, Microsoft initiated data sharing with more than 40 impacted countries through their respective Computer Emergency Response Teams (CERTs) to accelerate victim clean-up efforts. To keep the momentum in notifying and cleaning victims’ computers ongoing, notification efforts being coordinated between Peng Yong and CN-CERT began on Sept. 26. Similar efforts have already helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos and Zeus botnets.

 

Q: Did the takedown of the subdomains associated to the Nitol malware take any legitimate subdomains offline?

A:  No. Because the court order  pointed the 3322.org domain towards Microsoft’s newly created domain name system (DNS), any legitimate subdomains that were operating on the 3322.org domain will continue to function as they had prior to this action as Microsoft will reroute traffic to these subdomains. Microsoft will continue to keep these domains operational until a resolution has been reached to transfer the subdomains to a new, legitimate domain. Of note, Microsoft created its own DNS in part to mitigate any collateral damage resulting from its botnet operations. 

 

UPDATE: On September 26, 2012, Microsoft resolved the issues in the case and dismissed the lawsuit pursuant to the agreement. As part of the settlement, the operator of the domain, Peng Yong, has agreed to a number of terms, including to cooperate with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to complete a series of steps to block all malicious connections to the 3322.org domain or sub-domains and to prevent malware infections associated with the domain. The settlement agreement can be found here.

 

Of note, for the 16 days since Microsoft began collecting data on the 70,000 malicious subdomains on September 11, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org subdomains. In addition to blocking connections to the malicious subdomains, we have continued to provide DNS services for the remaining legitimate 3322.org subdomains. For example, on September 25, Microsoft successfully processed nearly 35 million DNS requests for 3322.org subdomains that were not on our block list.  

 

Microsoft began sharing the infected IP information to the Shadow Server Foundation in order to reach as many of the Internet Service Providers (ISPs) whose customers were identified as victims. Also, Microsoft initiated data sharing with more than 40 impacted countries through their respective Computer Emergency Response Teams (CERTs) to accelerate victim clean-up efforts. To keep the momentum in notifying and cleaning victims’ computers ongoing, notification efforts being coordinated between Peng Yong and CN-CERT began on Sept. 26. Similar efforts have already helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos and Zeus botnets.

 

Q: Is the intelligence you gained from this operation going to be added to the Threat Intelligence feed DCU announced recently it was working on? 

A:  Microsoft will use the intelligence gained from this action to partner with Internet Service Providers (ISPs) and Computer Emergency Response Teams (CERTs) around the world to work to rescue people’s computers from the control of the Nitol malware and the more than 500 additional types of malware associated with the 3322.org domain. This collaborative effort will help make the Internet safer for millions of innocent people, businesses, and public networks worldwide.

 

If pressed for more detail on the threat intelligence feed more broadly

As you are likely aware, Microsoft has been driving a sustained fight against botnets for almost a decade and in recent years has adopted a proactive disruption strategy to protect our customers.  Examples of this new approach, dubbed Project MARS, can be seen in the operations against prominent botnets like Waledac, Rustock, Kelihos, and Zeus. With each operation, DCU and its partners strive to find new ways to further protect the community. One example of the success of this approach can be found in the botnet cleanup effort we have supported with our co-workers in Trustworthy Computing and the Microsoft Malware Protection Center to work with ISPs and CERTs around the world to help infected computer owners regain control of their computers.  By sharing our botnet takedown data with ISPs and CERTs, Microsoft has been able to provide the information necessary to inform affected computer owners as well as offer free tools to help them clean their systems.  This effort has already helped to drastically reduce the global infection of the Waledac, Rustock, Kelihos, and the Zeus botnets.

 

As our efforts evolve, Microsoft continues to explore new ways to make this type of information available to those who can help our customers better protect themselves. To that end, we are currently testing a new system which aims to deliver actionable, real-time intelligence on currently tracked threats to customers and partners.

 

Q: What can you tell me about this particular malware?

A:  Microsoft’s researchers discovered that Nitol’s primary functionality is to perform distributed denial-of-service (DDoS) attacks, which cybercriminals often use to cripple large networks and can pose a serious threat to critical infrastructures, like financial services and utility providers.  The Nitol botnet malware also creates hidden access points onto a victim’s computer that cybercriminals can use to access a victim’s online service accounts like their email or online banking accounts. This allows cybercriminals to steal a victim’s money or to cause harm to anyone the victim communicates with online. This includes a cybercriminal using a victim’s online accounts to send fraudulent emails to the victim’s family, friends, and co-workers asking them for money or a cybercriminal targeting the victim’s family, friends, or co-workers’ computers by distributing and infecting them with more malware.

 

Q: How can people’s computers become infected with Nitol?

A: Microsoft’s research shows that a person can become infected in a couple of ways. First, an organization, business, or person can become infected if they purchase or download a digital product that already has the malware pre-loaded on it. Secondly, a person can become infected through file exchanges on USB flash drives with an infected computer.

 

Q: Why did you choose to target this malware?

A: The Nitol malware was one strain of malware that Microsoft researchers discovered as part of its study looking into the security risks associated with products being delivered through an unsecure supply chain. Our researchers found that the Nitol malware attempted to connect to the command and control of the “dormant” botnet, which the cybercriminals were building by infecting digital products, like computers or software, distributed through an unsecure supply channel.  In addition, our researchers identified that the malware’s primary functionality is to perform distributed denial-of-service (DDoS) attacks, which cybercriminals often use to cripple large networks, like the critical infrastructures of financial services organizations and utility providers.  The botnet’s malware also creates hidden access points onto a victim’s computer that cybercriminals can use to access a victim’s online service accounts like their email or online banking accounts. This allows cybercriminals to steal a victim’s money or to cause harm to anyone the victim communicates with online. This includes a cybercriminal using a victim’s online accounts to send fraudulent emails to the victim’s family, friends, and co-workers asking them for money or a cybercriminal targeting the victim’s family, friends, or co-workers’ computers by distributing and infecting them with more malware.

 

Because of these dangerous functionalities, Microsoft crippled the Nitol botnet along with more than 500 different types of malware that were being hosted on the 3322.org domain. This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322.org domain. It will also help protect millions of innocent people, online businesses, and public networks from becoming infected with malware.

 

Q: What can you tell us about the other malware variants found as part of its study?

A:  In addition to the Nitol malware, Microsoft researchers found three additional strains malware. Although none of these strains connect to a botnet, their activities are just as harmful. In fact, one of the other variants of malware is capable of conducting distributed denial-of-service (DDoS) attacks, which cybercriminals often use to cripple large networks. It is also capable of creating hidden access points onto a victim’s computer, allowing cybercriminals to access and abuse a victim’s online service accounts like their email or online banking accounts. Meanwhile, another malware strain performs keylogging, a tactic that records a person’s every key stroke in order to steal personal information. Once this information is stolen, cybercriminals can use it to access a victim’s online accounts to steal money and personal identities. Cybercriminals also use the information to email a victim’s contact lists and to post to a victim’s social media accounts, and to defraud the victim’s family, friends, and co-workers out of their money or sell them fake drugs. You can learn more about these strains of malware in this study.   

 

Q: How much damage have these other types of malware caused?

A: Because Nitol was the only malware which actively ran and attempted to connect to a command and control server of a botnet, Microsoft focused its research and efforts on that particular piece of malware and has not extensively researched the other threats.  You can find more information on the additional threats on the Microsoft Malware Protection Center site.

 

Q: When did you start researching this malware and its relationship to an unsecured supply chain?

A: While past research suggests that unsecure supply chains are susceptible to various security threats, members of Microsoft’s Digital Crimes Unit’s research team chose to take a deeper look into the risks of an unsecured supply chains as they suspected that cybercriminals preload malware onto computers built with counterfeit software. In order to further study and validate this theory, our researchers purchased 20 new computers from PC malls with counterfeit software preinstalled by the distributor. They examined and documented the files on these PCs and found malware on four of the 20 computers, an infection rate of 20 percent. 

 

The researchers also discovered that one of these malware types, a variant of the Nitol family of malware, attempted to connect to the command and control of the “dormant” Nitol botnet, which the cybercriminals were building by infecting digital products, like computers or software, distributed through an unsecure supply channel.  The cybercriminals further broadened their reach by designing the malware to spread from one computer to another via flash drive memory sticks. This allows Nitol to spread much like an infectious disease, except there are no visible symptoms to alert a person that they are in danger. 

 

Microsoft’s researchers determined that while the additional forms of malware found on the other computers purchased from the PC mall did not connect to a botnet, the various types of malware were just as harmful.  One is capable of conducting DDoS attacks and creating hidden access points onto a victim’s computer. Another performs keylogging, a tactic that records a person’s every key stroke in order to steal personal information. Once this information is stolen, cybercriminals can use it to access the victim’s online accounts to steal money and, personal identities.  Cybercriminals also use the information to email a victim’s contact lists and to post to a victim’s social media accounts, and to defraud the victim’s family, friends, and co-workers out of their money or sell them fake drugs.

 

As Microsoft’s researchers further examined the Nitol botnet, they began researching the subdomains that hosted Nitol’s command and control server, which led them to the 3322.org domain owned by Peng Yong, his company, and other John Does. The researchers found that while some of the defendant’s subdomains may be legitimate, many are being used for questionable purposes with links to a variety of disreputable and disturbing online activities. For instance, Microsoft’s research revealed that in addition to hosting the Nitol botnet, at least 70,000 subdomains link to more than 500 different types of malware, including one type that controls a computer’s web camera and microphone—allowing cybercriminals to secretly watch and listen in on people’s interactions and conversations. Additional malware threats found on the 3322.org domain are capable of DDoS attacks, keylogging, stealing passwords, copying and installing software, creating hidden access points onto a victim’s computer, and connecting to command and control servers.

 

Q: How do you define an unsecured supply chain?

A: A secure supply chain is a system that transports a genuine product from the manufacturer to the consumer using authorized and trustworthy manufacturers, distributors, transporters, and resellers.  A supply chain becomes unsecure when an individual within the chain obtains products from an unknown or unauthorized source and sells it to a consumer. 

 

Q: How do you define a dormant botnet?

A: A dormant bot is a botnet that is in the process of being built by cybercriminals through computer infections. The botnet does not commit any crime until it reaches the critical mass desired by the cybercriminal.

 

Q: What did the researchers discover as part of the study?

A:  As part of DCU’s study, Microsoft researchers found that malware was preloaded on four of the 20 computers they’d purchased from the PC malls.

 

The researchers also discovered that one of these malware types, a variant of the Nitol family of malware, attempted to connect to the command and control of the “dormant” Nitol botnet, which the cybercriminals were building by infecting digital products, like computers or software, distributed through an unsecure supply channel.  The cybercriminals further broadened their reach by designing the malware to spread from one computer to another via flash drive memory sticks. This allows Nitol to spread much like an infectious disease, except there are no visible symptoms to alert a person that they are in danger. 

 

Microsoft’s researchers determined that while the additional forms of malware found on the other computers purchased from the PC mall did not connect to a botnet, the various types of malware were just as harmful.  One is capable of conducting DDoS attacks and creating hidden access points onto a victim’s computer. Another performs keylogging, a tactic that records a person’s every key stroke in order to steal personal information. Once this information is stolen, cybercriminals can use it to access the victim’s online accounts to steal money and personal identities.  Cybercriminals also use the information to email a victim’s contact lists and to post to a victim’s social media accounts, and to defraud the victim’s family, friends, and co-workers out of their money or sell them fake drugs.

 

As Microsoft’s researchers further examined the Nitol botnet, they began researching the subdomains that hosted Nitol’s command and control server, which led them to the 3322.org domain owned by Peng Yong, his company, and other John Does.  The researchers found that while some of the defendant’s subdomains may be legitimate, many are being used for questionable purposes with links to a variety of disreputable and disturbing online activities. For instance, Microsoft’s research revealed that in addition to hosting the Nitol botnet, at least 70,000 subdomains link to more than 500 different types of malware, including one type that controls a computer’s web camera and microphone—allowing cybercriminals to secretly watch and listen in on people’s interactions and conversations. Additional malware threats found on the 3322.org domain are capable of DDoS attacks, keylogging, stealing passwords, copying and installing software, creating hidden access points onto a victim’s computer, and connecting to command and control servers.

 

Q: Is there anything new about this legal strategy?

A:   Because the technical requirements and conditions of Operation Nitol are very similar to those in Kelihos botnet takedown, Microsoft used the legal mechanism it established in the successful Kelihos case to disrupt the Nitol botnet and more than 500 different types of malware. Specifically, Microsoft sought an ex parte temporary restraining order (TRO) from the U.S. District Court for the Eastern District of Virginia against Peng Yong, his company, and other John Does using some of the violations claimed in its prior botnet cases. 

 

On September 10, 2012, the court granted Microsoft’s request. In response to the granted TRO, the Public Internet Registry, as the registrant for all .org domains, will begin pointing the 3322.org domain, which hosts the Nitol botnet, to Microsoft’s newly created domain name system (DNS). This will allow Microsoft to disrupt the Nitol botnet as well as the nearly 70,000 malicious subdomains that are also hosted on the 3322.org domain. Meanwhile, Microsoft will begin routing all of the malicious 3322.org subdomains to the Microsoft DNS system, a process known as sinkholing, in order to collect valuable evidence and intelligence that will be used to help clean people’s computers from Nitol and the other types of malware operating on the 3322.org domain.

 

Q: Could other organizations take the same measures to take down or disrupt a botnet?

A: Yes. This basic legal proceeding has been in use for many years and has been used in the past to extend criminal penalties and a civil cause of action for acts performed as part of an ongoing criminal organization.

 

Q: Who do you think is responsible for this malware?

A: As alleged in the complaint and supporting declarations, we believe Peng Yong, his company, and other John Does are responsible for operating the 3322.org domain hosting the command and control for the botnet malware. However, as this case is ongoing, new information will be used to build greater intelligence and to inform our next steps.

 

Q: Will this case result in the capture or identification of the people behind the malware?

A: Since this is a civil case, no criminal violations were alleged.  That said, we are keeping all of our options open and may decide to refer the matter to law enforcement if or when it is appropriate to do so.

 

Q:  Did you physically seize any servers as part of this takedown?

A: No, we did not physically seize any servers as part of this takedown. However, in response to the granted TRO on September 10, 2012, the Public Internet Registry, as the registrant for all 3322.org domains, will begin pointing the 3322.org domain, which hosts the Nitol botnet, to Microsoft’s newly created domain name system (DNS). This will allow Microsoft to disrupt the Nitol botnet as well as the nearly 70,000 malicious subdomains that are also hosted on the 3322.org domain.

 

Meanwhile, Microsoft will begin routing all of the malicious 3322.org subdomains to the Microsoft DNS system, a process known as sinkholing, in order to collect valuable evidence and intelligence that will be used to help clean people’s computers from Nitol and the other types of malware operating on the 3322.org domain.

 

Because the domain will now be pointing toward Microsoft’s DNS, any legitimate subdomains operating on the 3322.org domain will continue to function as they had prior to this action as Microsoft will reroute traffic to these subdomains. Microsoft will continue to keep these domains operational until a resolution has been reached to transfer the subdomains to a new, legitimate domain. Of note, Microsoft created its new DNS in part to mitigate any collateral damage resulting from its botnet operations. 

 

 Q: How can I protect my computer from becoming part of a botnet in the first place?

A: We encourage all computer users to exercise safe practices, such as running up-to-date and legitimate software and using protections like a firewall and anti-virus/anti-malware programs.  People should also exercise caution when surfing the web, clicking on ads or email attachments that may prove to be malicious. More information about staying safe online can be found at http://www.microsoft.com/protect.

 

For computer owners worried that their computers might be infected, Microsoft offers free information and malware cleaning tools at http://support.microsoft.com/botnets that can help people remove Nitol and other malware from their computers.

 

Q: How can I tell if a product or supply chain is trustworthy?

A:  Microsoft’s How to Tell website contains a wealth of information about how to determine whether Microsoft software is genuine, including pre-purchase checklists, product information, and visual examples of Certificates of Authenticity (COAs), installation media, and product packaging, including piracy prevention features. Meanwhile, the best way to purchase software is from an authorized reseller who sells only genuine software. To locate a reputable reseller, businesses can use local resources such as a Chamber of Commerce, the Better Business Bureau, and consumer publications, or find local Microsoft reseller contact information online at Microsoft’s Midsize Business Center, Small Business Center, or the Business & Industry websites.

 

Unfortunately, while there are tools to help determine whether a product is genuine, sometimes it will not be clear. This is why the exploitation of an unsecured supply channel is especially dangerous.

 

Q: Why is it called Operation b70?

A: The operation is named using an alpha-numeric numeric code based the number that corresponds to each letter in the botnet name, Nitol, the bot being disrupted in this case. Those numbers associated with N-I-T-O-L added together equal 70 and the ‘b’ is for “botnet”. 

 

Q: What is Project MARS?

A: Project MARS (Microsoft Active Response for Security) is a joint effort between Microsoft’s Digital Crimes Unit, Microsoft Malware Protection Center, Global Network Services, and the Trustworthy Computing team to help rescue people, including our customers, from malware by cleaning their infected computers.  As part of this initiative, Microsoft not only helps people regain control of their computers, but also collects and analyzes the intelligence it gathers in each operation to improve its security protection services. Microsoft also shares this intelligence with ISPs and CERTs across the globe so they can notify their customers and constituents of rising threats and protect them from harm.

 

Q: Was law enforcement involved in this action?

A: No, law enforcement was not involved in this operation. 

 

Q: Now that you’ve disrupted these botnets, what happens to the computers already infected with the malware?

A: Although many computers are now free from the botherders’ control, they are still infected with the original malware. Due to the threat’s ability to create hidden access points onto a victim’s computer and to be spread via hardware like USB flash drives, a computer infected by the Nitol malware could also become infected with other strains of malware.

 

Microsoft will use the intelligence gained from this action to partner with Internet Service Providers (ISPs) and Computer Emergency Response Teams (CERTs) around the world to work to rescue people’s computers from the control of the Nitol malware and the more than 500 additional types of malware associated with the 3322.org domain. This collaborative effort will help make the Internet safer for millions of innocent people, businesses, and public networks worldwide.

 

If asked: The support.microsoft.com/botnets page is primarily in American English at this time. Internationally, ISPs and CERTs may have their own processes and recommendations for computer clean-up.

 

Q: Does Microsoft believe that there should be more stringent identification requirements for people buying subdomains?

A: This case highlights an industry-wide problem pertaining to the use of subdomains.  Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while, by contrast, there are currently no regulations requiring domain hosts to know anything about the people using their subdomains, making it easy for domain owners to look the other way.

 

Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers or the supply chains through which they operate, they will be held accountable for what is happening on their infrastructure. In addition, it is our goal to illustrate the need for Original Equipment Manufacturers, suppliers, and consumers to implement more stringent practices and measures to ensure that the products they sell or purchase are both legitimate and free of malware.

 

Q: Will you start sending infected IP data to ISPs and CERTs right away as you have in prior botnet takedowns?

A: This takedown operation is a bit different as the domain running the command-and-control for the Nitol malware is now in Microsoft’s control. Microsoft will begin routing all of the malicious 3322.org subdomains to the Microsoft DNS system, a process known as sinkholing, in order to collect valuable evidence and intelligence that will be used to help clean people’s computers from Nitol and the other types of malware operating on the 3322.org domain.

 

Because the domain will now be pointing toward Microsoft’s DNS, any legitimate subdomains operating on the 3322.org domain will continue to function as they had prior to this action as Microsoft will reroute traffic to these subdomains. Microsoft will continue to keep these domains operational until a resolution has been reached to transfer the subdomains to a new, legitimate domain. Of note, Microsoft created its new DNS in part to mitigate any collateral damage resulting from its botnet operations. 

 

Microsoft will use the intelligence gained from this action to partner with Internet Service Providers (ISPs) and Computer Emergency Response Teams (CERTs) around the world to work to rescue people’s computers from the control of Nitol malware and the more than 500 additional types of malware associated with the 3322.org domain. This collaborative effort will help make the Internet safer for millions of innocent people, businesses, and public networks worldwide.

 

RUDE Q’s for Original Announcement

 

Q: Why did you conduct your study in China?

A: Microsoft decided to begin its study in China because piracy is a known issue there. In fact, the Business Software Alliance estimates that 77 percent of software in China is pirated. Also, Microsoft worked with the Chinese CERT in the Rustock botnet case and has a good working relationship with CN- CERT. 

 

Q: Are you saying all counterfeit software is bad? Isn’t this just a play by the company to get people to buy legitimate software?

A: Yes, buying counterfeit software is bad as it can harm the end purchaser as well as their family, friends, and co-workers. There are inherent risks in installing and using counterfeit software that are not present when you purchase genuine software; simply put, with counterfeit software, there’s no way to know exactly what you’re getting.  Microsoft’s study found that one in five computers purchased through an unsecure supply chain was infected with malware. That’s a 20 percent infection rate.

 

An article in the New York Times claims that criminal syndicates are increasingly using software piracy and counterfeiting to fund a number of illegal operations.

 

A study showed that consumers and governments are very concerned about this trend.  More than 80 percent of consumers worldwide expressed concerns about counterfeit software in a recent survey, and listed “funding crimes” among their top three concerns, along with “identity theft” and “data loss.”

 

Q: The majority of botnet infections are in China.  Why is a U.S. company taking action against China?

A:  While the majority of Nitol infections are located in China, as alleged in the complaint and further supported by the data collected in our sinkhole operation, this botnet is a global threat. Additionally, because this malware spreads through removable media like USB flash dives, this malware has the potential to spread quickly and quietly, potentially causing insurmountable amount of damage to people, businesses, and public networks worldwide.

 

Q: Who needs to take steps to address the issues you uncovered regarding unsecured supply chains?

A:   While global CERTs, Original Equipment Manufacturers, suppliers, distributors and resellers should be adopting and practicing more stringent policies to ensure that all digital products are delivered through a supply chain are trustworthy, it is also important for policymakers and legislators to protect their constituents from the security risks associated with a risky supply chain.

One way policymakers and legislators could do this is by amending the current statutes regarding the distribution and reselling of counterfeit software to increase the penalties for criminals if the counterfeit products they distribute or sell are shown to make people more vulnerable to malware infections.  Because of the malware’s ability to spread easily, enhanced penalties could help protect millions of innocent people from this threat, which poses public safety risks similar to those associated with the buying and selling of counterfeit drugs.  In the meantime, the appropriate law enforcement agencies can help prevent the spread of malware though counterfeit software by enforcing existing laws.

 

Q: What type of counterfeit software was found on the computers you sampled?

A:  The counterfeit software Microsoft researchers found on the computers acquired through an unsecured supply chain for their study were versions of Windows XP and Windows 7.

 

Q: Is Windows Defender a new feature for Windows 8?

A:  This is not a new feature. Windows Defender was initially included in Windows XP and is currently available in Windows XP, Windows Vista and Windows 7. Windows Defender in Windows 8 is improved to provide wider and better protections.

 

Q: What’s new with Windows Defender in Windows 8?

A: Windows Defender will help protect you from all types of malware, including viruses, worms, bots and rootkits by using the complete set of malware signatures from the Microsoft Malware Protection Center, which Windows Update will deliver regularly along with the latest Microsoft antimalware engine. This expanded set of signatures is a significant improvement over previous versions of Windows Defender, which only included signatures for spyware, adware, and potentially unwanted software.

 

In addition, Windows Defender will now provide you with real-time detection and protection from malware threats using a file system filter, and will interface with Windows trusted boot, another new Window 8 protection feature.

 

We have designed Windows Defender to be unobtrusive for most daily usage, and will notify you only when you need to perform an action, or critical information demands your attention. Windows Defender will also use the new Windows 8 maintenance scheduler to limit interruptions. We encourage you to read the “Protecting you from malware” post on our Building Windows 8 blog site for more information.

 

Q: You talk about the lack of accountability for domain owners on their subdomains as being a problem that is facilitating crimes like this botnet.  A blog post you posted for the Kelihos case even says “Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime.” Are you saying new law or regulations are needed to address this problem?

A: Not necessarily.  What we are looking for is an industry discussion on this subject. To our knowledge there are currently no requirements, voluntary or otherwise, necessitating that domain owners take any steps to know anything about who is using their subdomains and for what purpose.  Subdomains are not illegal in and of themselves, but if not responsibly monitored, they can be unscrupulously leveraged by criminals. 

 

We would like domain owners to know who is using their subdomains and for that information to be available in a public registry.  If it’s not possible to find out who these subdomains belong to, it’s our stance that domain owners should then be held accountable for what is happening on their infrastructure. In addition, it is our goal to illustrate the need for Original Equipment Manufacturers, suppliers, and consumers to implement more stringent practices and measures to ensure that the products they sell or purchase are both legitimate and free of malware.

 

Q: Is it Microsoft’s role to be the Internet police?

A: Enforcement of laws is the sole jurisdiction of law enforcement and government. However, Microsoft is in a unique position to provide technical expertise and support in the interests of helping better protect our customers and the Internet community at large from the evolving threats of cybercrime.

 

We work closely with law enforcement on a number of initiatives and we believe that public-private partnerships are essential to address the increasing complexities of cybercrime; no one can do it alone. At Microsoft, we’re determined to help stop cybercrime through legal action, technology and consumer education. Microsoft supports governments and law enforcement by providing them with technical training, investigative and forensic assistance, and the continued development of new technology tools to combat cybercrime.

 

Q: Should government be doing more to help private industry fight bots/cybercrime overall?

A: To improve cybersecurity, governments need to rethink how they can fulfill their responsibilities.  They need to leverage the collective capabilities of diplomacy, intelligence, the military, law enforcement, economics, and education, and create a coordinated strategy to integrate these capabilities.  Cross-governmental efforts call for careful strategic planning (to maximize the effect of the governmental action), tactical coordination, and harmonization of laws. In many cases, this means that ultimate responsibility for the strategy and tactics must reside with an authority that can direct all of the agencies in a coordinated way.

 

Q: Why didn’t you go through ICANN to disrupt this botnet?

A:  ICANN’s current dispute resolution process affords botherders notice, effectively giving them time to quickly close up shop only to resume their illegal activities using a new domain. The ex parte motion was necessary to prevent the alleged bot herders from moving control of these harmful botnets to different IP address routes before they could be captured in the operation.  Similar to what was done in the Waledac, Rustock and Kelihos cases, Microsoft is making a good faith effort to notify the defendants and give them the opportunity to present their case with the court.

More info:

-          Blog entry highlighting today’s news: http://blogs.technet.com/b/microsoft_blog/archive/2012/10/02/microsoft-reaches-settlement-with-defendants-in-nitol-case.aspx

-          DCU on Facebook/Twitter (please feel free re-tweet content): http://www.facebook.com/MicrosoftDCU and https://twitter.com/MicrosoftDCU

 regards,

Alexandre

Comments (0)

Skip to main content