Microsoft disrupts major botnet by blocking malicious domain

Microsoft recently won a court order to host “3322.org”, a nefarious Internet domain based in China, with its own dynamic DNS. The malicious domain hosts around 70,000 malicious subdomains and generates close to 500 different strains of malware that are distributed via counterfeit software. One of the most infamous botnets to originate from this source was ‘Nitol’ and now Microsoft completely intercepts and blocks all malicious activity from this source.

Nitol commonly used fake software distribution channels (especially for Windows) to spread different strains of malware and this is what led Microsoft to take action against the 3322.org domain. The legal operation (Operation b70) was granted credence by the “U.S. District Court for the Eastern District of Virginia” who then allowed the ‘Microsoft Digital Crimes Unit’ to take over the malicious domain. Microsoft had initially carried out a study about insecure supply chains that led to distribution of counterfeit software infected with malware and this is what led to the discovery of this malicious domain that is hosted in China.

This is Microsoft’s second botnet takedown in the last 6 months and it is a noteworthy attempt by them to protect innocent victims. These victims are commonly afflicted by fake software distributed through unauthorized supply chains. Such botnets are traditionally dangerous because they not only affect the victim without his knowledge, but spread to most of his contacts through emails, social networks, USB devices and other mediums.

Quick Heal detects 3322.org subdomains
Quick Heal, the best system protection software, has observed this domain in the past and has released alerts about various trojans and other malware that originates from the same. This includes Backdoor.Hupigon.xda, TrojanDownloader.Agent.brns and TrojanDropper.Small.avc.

The Nitol botnet malware has also carried out several DDoS attacks that overload large networks with Internet traffic which ultimately cripples them. Subsequently, it also created additional access points on infected machines so that new malware strains could enter the machine through other sources.

This successful action by Microsoft reduces the impact of Nitol and the 3322.org domain and potentially saves millions of people from being targeted. Insecure supply chains are a common method of infecting unaware victims and this is the first of many steps to prevent such attacks.