In depth: How Microsoft is taking down Nitol botnet
Microsoft discovered the infection on pristine personal computers in 2011 as it investigated supply chains in China
By Tim Greene | Network World US | Published: 17:27, 17 September 2012
For the fifth time in three years Microsoft has stepped in to take down a botnet, this time malware called Nitol that was infecting new machines bought in China.
A US court has allowed the company to take over authority of a top-level domain - 3322.org - in an effort to stop the activity of the botnet under Nitol's control.
Microsoft discovered the infection on pristine personal computers in 2011 as it investigated supply chains in China for evidence of products becoming infected before sale or using pirated software, according to a Microsoft blog post. The investigation was dubbed Operation b70.
Related Articles on Techworld
Nitol enlists infected machines into botnets that can execute distributed denial-of-service attacks (DoS) and can also download malicious code for machines to perform whatever commands the bot commander directs, according to court papers filed by Microsoft in its successful effort to win a temporary restraining order against the ISP with authority over 3322.org.
That company - Changzhou Bei Te Kang Mu Software - and an individual behind it - Peng Yong - were named, but there are others identified only as John Does.
A Microsoft team based in China bought 20 PCs as part of an effort to find the source of machines sporting pirated Microsoft operating systems. It not only found pirated products, it found one machine that came pre-infected with Nitol.
This led to an investigation of Nitol, how it worked and what infrastructure it used. This led to an ISP in China named BitComm and its owner Peng Yong, according to court papers. Nitol was capable of key logging, stealing passwords and other data, generating spam and participating in DDoS attacks. It could even turn on the computer's microphone and camera to become a spy device, according to a court affidavit from Patrick Stratton, a senior manager of investigations in Microsoft's Digital Crimes Unit.
Infected machines check in with command and control servers, most of which are located in China, but with a significant number in the US, particularly in California, Texas, Georgia and Pennsylvania, with the most active cities being San Diego, San Jose, Dallas, Atlanta and Scranton, Pa., according to a Microsoft report.
Microsoft has been granted authority over the offending 3322.org domain, which contains 70,000 malicious subdomains but also millions of legitimate subdomains, says Craig Sprosts, the general manager of Nominum, a DNS company working with Microsoft on the Nitol takedown.
As zombie machines attempt to contact their command servers in those domains, their DNS requests go to Microsoft-controlled servers which use Nominum software to black-hole them, which means they get no response so they cannot connect to upload information or download instructions and further malware, he says.
He says Nominum is working with Microsoft on similar future efforts, but would not detail what they are. "Our collaboration with Microsoft here will be repeated," he says.
Nitol is spread via removable media - flash drives, removable disks, zip files - and embeds itself in directories populated mainly by application files. It disguises itself as a commonly used .dll file called LPK.DLL which is used by virtually every application with a user interface, Microsoft says in court filings.
By placing itself in directories containing applications, the phony LPLK.DLL is accessed by these applications as they boot up. In the absence of the malware LPL.DLL, the applications look in their own directories for the file but do not find it and then continue searching for it and find a legitimate version in Windows system file folders.
When it infects a machine, Nitol masks its presence by altering settings within Windows Explorer, making its files super hidden, Microsoft says. This means they won't show up when they are searched for by Windows Explorer.
While security updates from Microsoft and malware detection and removal software vendors can detect and remove varieties of Nitol, users whose machines have pirated versions of software such as Windows won't be eligible for the updates, Sprosts says.
But Nitol is stubborn and replaces malicious files on the hard drives of infected computers if they are deleted.
Taking down botnets has become part of the routine of the company's Digital Crimes Unit. In February 2010, a court order helped the company take down the Waledac botnet. In March of 2011 it was Rustock and in September of the same year it was Kelihos. In march of this year, it was Zeus.