Domain owner agrees to work with Microsoft to destroy malicious domains

News by Dan Raywood

A man recently named as owning a malware-hosting domain has agreed to work with Microsoft to prevent cyber criminals from using the domain.

A man recently named as owning a malware-hosting domain has agreed to work with Microsoft to prevent cyber criminals from using the domain.

Peng Yong, the registered owner of, was named by Microsoft after the Nitol botnet was hosted on the domain, which it said had links to malicious activity since 2008 and contained 500 different strains of malware hosted on more than 70,000 sub-domains.

Microsoft was granted an ex-parte temporary restraining order against Yong, his company and others and it took control of the domain through its created domain name system (DNS). Yong said at the time that the company had a ‘zero tolerance' attitude towards illegal activity on the domain.

In a statement, Richard Domingues Boscovich, assistant general counsel at the Microsoft digital crimes unit, said that Microsoft had resolved the issues in the case and had dismissed the lawsuit pursuant to the agreement.

He also said that Yong had agreed to work in cooperation with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to resume providing authoritative name services for and block all connections to any of the subdomains identified in a 'block list', by directing them to a sinkhole that will be designated and managed by CN-CERT.

Yong will add subdomains to the block list as new subdomains associated with malware are identified by Microsoft and CN-CERT.

“Since the case is settled, all evidence and discovery collected during Microsoft's investigation will be handed over to CN-CERT, who will work with the defendant to identify the people behind the malicious subdomains pursuant to Chinese law,” Boscovich said.

We're very pleased by this outcome, which will help guarantee that the 70,000 malicious subdomains associated with will never again be used for cyber crime.”

He also said that in the last 16 days since it began collecting data on the 70,000 malicious subdomains, it had been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious subdomains.

He said: “In addition to blocking connections to the malicious domains, we have continued to provide DNS services for the unblocked subdomains. For example, on September 25th, we successfully processed 34,954,795 DNS requests for subdomains that were not on our block list.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike