Microsoft announced today that it has taken action to disrupt an emerging botnet, called Nitol, that used victims’ PCs to conduct distributed denial of service attacks and gave cybercriminals backdoor access to install other malware or data. The disruption of the botnet was the culmination of a Microsoft operation codenamed “b70,” which was launched as the result of discoveries made during an investigation into the distribution of counterfeit software by computer resellers in China.
First, the company was granted
temporary restraining orders against an individual named Peng Yong and his company based in Changzhou, China. Then, Microsoft took over hosting 3222.org—the domain hosting the Nitol botnet and “nearly 70,000 other malicious subdomains”—according to
a blog post describing the operation written by Richard Domingues Boscovich, assistant general counsel for Microsoft’s Digital Crimes Unit. In addition to the Nitol command and control network, the domain hosted over 500 strains of various other malware, including trojans that record victims' keyboard entry and take control of PCs' Web cameras and microphones. The 3222.org domain has been tied to malware activity dating back to 2008.