Microsoft seizes Chinese botnet domain

Wins court injunction against alleged owners.

Microsoft is preparing to seize a Chinese-owned domain and up to 70,000 sub-domains believed to host a malicious botnet aimed at performing distributed denial of service attacks through infected machines.

A United States District Court granted the software giant's request to host the 3322.org domain, beileved to be the source of the emerging Nitol botnet and more than 500 other different strains of malware with the potential for targeting millions of innocent people.

It placed a restraining order against the alleged owners of the domain — Peng Yong, Bei Tei Kang Mu Software Technology trading as Bitcomm Ltd, and up to three other unnamed people — for violating federal law, according to court papers.

The Associated Press reported that Peng was not aware of the court injunction and denies allegations of hosting malware.

Nitol spreads through the network and removable devices such as USB sticks. It performs distributed denial of service attacks and also allows attackers to run arbitrary software on infected systems.

The malware is most likely of Chinese origin and concentrated mainly that country, but has spread around the world with infections in the US, Russia, Australia and Germany and Microsoft.

Richard Boscovich, a former US federal prosecutor and now assistant general counsel for Microsoft's Digital Crime Unit, said the company had discovered instances of the malware being distributed on machines sold through retailers with counterfeit versions of Windows.

"What's especially disturbing is that the counterfeit software embedded with malware could have entered the [supply] chain at any point as a computer travels among companies that transport and resell the computer," Boscovich wrote in a blog entry.

He argued that as people can't tell if a supply chain is unsecure or not, exploitation of a broken one is an "especially dangerous vehicle for infecting people with malware".

The company had begun tracking down the source of the botnet and the insecure supply chain under Operation b70 since August last year, buying 20 computers from different cities in China.

One, a Hedy laptop running Windows XP Service Pack 3, was found to have been "carelessly or intentionally infected with Nitol".

Although the malware has come to the fore this year, Boscovich suggested the botnet was "being hosted on a domain linked to malicious activity since 2008".

However, Boscovich said that Peng had ignored past warnings by other online security firms.

According to cloud security firm Zscaler, the 3322.org domain accounted for more than 17 percent of the world's malicious web traffic in 2009 and, since the court order, over 37 million malware connections to the domain have been blocked.

Microsoft has taken action against several botnets in recent months, including tracking down two Russians allegedly behind the Zeus Botnet.

The company also claims to have disrupted the Waledac, Rustock and Kelihos botnets over the past two years.