Microsoft applies 'surgical sinkhole' to strangle botnet installed on new PCs

Uncovers out-of-the-box Chinese machines infected with 'Nitol,' uses new DNS sinkhole strategy to kill botnet's comm links

Microsoft has uncovered a vulnerability in the PC supply chain that allows hackers to pre-install malware-infected copies of Windows onto new machines.

As a result, the company has received approval from a federal court to strangle a botnet it uncovered during the investigation, which it conducted in China.

The company announced on Thursday that it was diverting traffic from the 3322.org domain to its own DNS (domain name system) servers to selectively block communications from PCs infected with the "Nitol" botnet to the hackers' command-and-control (C&C) machines.

It's also blocking access to approximately 70,000 malware-plagued subdomains of 3322.org, a Chinese web hosting firm. Other subdomains of 3322.org are resolving normally for users.

The tactic, called "sinkholing," isn't new to Microsoft's anti-malware efforts -- it's sinkholed other botnets -- most recently in March, when it disrupted networks that relied on the Zeus crimeware toolkit -- but a new twist lets it block the bad on 3322.org while letting the good through.

"We're always concerned about collateral damage," said Richard Boscovich, a senior attorney in Microsoft's digital crimes unit, in an interview yesterday. "3322.org has between 2.5 and 2.75 million subdomains, but only the 70,000 malicious subdomains will be sinkholed. The remaining will resolve."

Most sinkholing efforts divert all traffic from a malicious domain, blocking access for everyone.

Redwood City, Calif.-based Nominum provided technical assistance and its DNS software to the operation, which Microsoft has dubbed "b70."

"This was a surgical strike," said Craig Sprosts, Nominum's general manager for fixed broadband solutions, in an interview today. "Microsoft took ownership of the [3322.org] domain and basically created a more surgical access to the good domains and blocked the bad."

The problem posed by the sinkholing of 3322.org, with its millions of subdomains, was technically difficult, said Sprosts and a college, Daniel Blasingame, general manager for embedded solutions at Nominum.

"Microsoft needs to be able to change the list of the good and bad subdomains on the fly," said Blasingame, who cited that as well as the sheer scale of the project as factors complicating the operation.

All DNS traffic between users and the 3322.org domain and its subdomains now flows through Nominum servers installed at Microsoft's data centers, confirmed Sprosts.

"Microsoft has told us that this is literally the biggest botnet it's dealt with," said Blasingame, talking about the amount of sinkholed traffic Microsoft is now dealing with. "They've said it's a massive amount of DNS traffic."

Microsoft's take on 3322.org is unclear. In a complaint filed on Sept. 10 with a Virginia federal court, Microsoft called the domain a "major hub of illegal Internet activity, used by criminals every minute of every day to pump malware and instructions to the computers of innocent people world-wide."

Boscovich, however, seemed willing to give its owner, Peng Yong, the benefit of the doubt. "We're reached out to the domain owner, not only to serve him [with the complaint] but also to work with him."

In an interview with the Associated Press Wednesday, Peng denied the allegations and said his company does not tolerate improper conduct on 3322.org.

But 3322.org has been fingered by security experts as a haven for malware websites, a so-called "bulletproof" hosting company, named that because it's supposedly impervious to takedown.

Zcaler, for instance, has claimed that 3322.org accounted for 17% of the world's malicious URL traffic, while Kaspersky Lab has said that 40% of all malware has, at one point or another, connected to the domain.

"This is one of the most prevalent call-home locations used by malware in the Nitol family," said Paul Duckin of Sophos, in a Friday blog post, referring to 3322.org.

Microsoft discovered the Nitol-new PC connection last year when Boscovich's team purchased 20 new desktop and laptop PCs in China, and found all 20 using counterfeit copies of Windows XP or Windows 7.

Four of the PCs had malware pre-installed, and while three of those machines' threats were inactive, the fourth immediately connected to a Nitol C&C server for instructions.

It wasn't an accident that Microsoft uncovered the supply chain plot.

"We're always looking at different aspects of how people get infected, and there's always some discussion here of getting infected through counterfeit OSes," said Boscovich. "We wondered, 'How bad is this situation? People are getting more astute about security, so what are the criminals trying to do now?' We heard that the supply chain was an area where malware could be introduced. But I was somewhat surprised that we found malware-infected machines so quickly."

Microsoft has warned customers that counterfeit copies of Windows pose a threat for years -- a message many see as cover for a greater concern for its own business interests.

Boscovich relayed the same message yesterday. "Counterfeit software is usually merely an intellectual property issue, which is important," he said. "But this transcends. People, not just a company, are potentially victimized."

Microsoft is unsure where in the Chinese supply chain the malware was introduced, but given the way PCs are purchased there, believes that it's at the point where a retailer adds Windows.

It's unlikely that the malware was planted at the factory, said Boscovich, who said that some of the infected PCs were from brands recognizable to Westerners. He declined to name those manufacturers, however.

"In this particular region [China], most PCs come with the DOS operating system, and customers rely on the retailer to install a more modern operating system," said Boscovich. "Somewhere in the retail supply chain, a retailer puts on Windows."

That's the probable point in the chain where the infections occur.

"The porous nature of the supply chain puts people, consumers and their friends and family, at risk as criminals find new ways to compromise computers," Boscovich said.

Nitol is not a new threat -- it was first discovered in 2008 -- but with tens of thousands of variants this year alone, it's created what Sophos called a "veritable web of cyber criminality."

Boscovich said Microsoft is seeking the names of the individuals who registered the Nitol C&C domains from Peng, as well as those responsible for the 70,000-some malware-hosting subdomains, but has yet to reach Peng. It will identify the machines infected with the bot and refer those IP addresses to the appropriate country's CERT (Computer Emergency Response Team) organization and pertinent ISPs to work with users and customers on cleanup efforts.

The new "surgical" sinkholing tactic, however, may be the longest-lasting affect of Microsoft's Operation b70, said Nominum's Sprosts.

"Bulletproof hosting companies often try to hide behind innocent victims to escape legal action," he said. "This will be a wake-up call for many other [bulletproof hosting firms] that they'd better clean up their act."

Because Microsoft and others can now limit collateral damage, Sprosts said, he anticipated that courts will look more kindly on takedown and sinkhole requests. "[Judges] will see that this is surgical, not a blunt force instrument."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Comments

Comments are now closed

iiNet back in court over P2P file sharing

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]