"Pre-loaded" PC malware leads to domain takeover

A US District Court has given Microsoft permission to take down the command and control servers and domains of over 500 strains of malware. The Eastern District of Virginia was asked by Microsoft's Digital Crimes Unit to allow them to disable these domains as part of "Operation b70", which has its roots in a study carried out by Microsoft in China.

Microsoft has found that new computers purchased by its employees in Chinese cities already had malware installed on them. In August 2011, the company began an investigation to see if there was any evidence to back up claims that counterfeit software and malware was being placed onto PCs in the supply chain in China and sent employees to buy ten desktop and ten laptop computers from "PC Malls" in various cities in China. Four of the computers were found to already have malware on them.

As well as having malware which spread over USB flash drives on them, one of the four machines in particular attracted the researchers' attention because it was infected with the Nitol virus. Nitol installs a backdoor used for spam or DDoS attacks and the botnet it was connected to was hosted at 3322.org. Microsoft found that the hosting provider appeared to host around 500 different strains of malware on 70,000 sub-domains. This other malware, says Microsoft, included remote camera control and viewing backdoors and key loggers.

It appears that Microsoft didn't have any success approaching the hosting company and so it decided to apply to take over the domain through the courts and has now been given permission, through a temporary restraining order, to take over control of the 3322.org domain and block the operation of the Nitol botnet and the other malware. As there are legitimate subdomains of 3322.org, Microsoft is filtering access with the help of Nominum, and allowing traffic to them through while blocking access to malicious subdomains.

(djwm)