Microsoft applies 'surgical sinkhole' to strangle botnet installed on new PCs
Uncovers out-of-the-box Chinese machines infected with 'Nitol,' uses new DNS sinkhole strategy to kill botnet's comm links
Computerworld - Microsoft has uncovered a vulnerability in the PC supply chain that allows hackers to pre-install malware-infected copies of Windows onto new machines.
As a result, the company has received approval from a federal court to strangle a botnet it uncovered during the investigation, which it conducted in China.
The company announced on Thursday that it was diverting traffic from the 3322.org domain to its own DNS (domain name system) servers to selectively block communications from PCs infected with the "Nitol" botnet to the hackers' command-and-control (C&C) machines.
It's also blocking access to approximately 70,000 malware-plagued subdomains of 3322.org, a Chinese web hosting firm. Other subdomains of 3322.org are resolving normally for users.
The tactic, called "sinkholing," isn't new to Microsoft's anti-malware efforts -- it's sinkholed other botnets -- most recently in March, when it disrupted networks that relied on the Zeus crimeware toolkit -- but a new twist lets it block the bad on 3322.org while letting the good through.
"We're always concerned about collateral damage," said Richard Boscovich, a senior attorney in Microsoft's digital crimes unit, in an interview yesterday. "3322.org has between 2.5 and 2.75 million subdomains, but only the 70,000 malicious subdomains will be sinkholed. The remaining will resolve."
Most sinkholing efforts divert all traffic from a malicious domain, blocking access for everyone.
Redwood City, Calif.-based Nominum provided technical assistance and its DNS software to the operation, which Microsoft has dubbed "b70."
"This was a surgical strike," said Craig Sprosts, Nominum's general manager for fixed broadband solutions, in an interview today. "Microsoft took ownership of the [3322.org] domain and basically created a more surgical access to the good domains and blocked the bad."
The problem posed by the sinkholing of 3322.org, with its millions of subdomains, was technically difficult, said Sprosts and a college, Daniel Blasingame, general manager for embedded solutions at Nominum.
"Microsoft needs to be able to change the list of the good and bad subdomains on the fly," said Blasingame, who cited that as well as the sheer scale of the project as factors complicating the operation.
All DNS traffic between users and the 3322.org domain and its subdomains now flows through Nominum servers installed at Microsoft's data centers, confirmed Sprosts.
"Microsoft has told us that this is literally the biggest botnet it's dealt with," said Blasingame, talking about the amount of sinkholed traffic Microsoft is now dealing with. "They've said it's a massive amount of DNS traffic."
Microsoft's take on 3322.org is unclear. In a complaint filed on Sept. 10 with a Virginia federal court, Microsoft called the domain a "major hub of illegal Internet activity, used by criminals every minute of every day to pump malware and instructions to the computers of innocent people world-wide."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts