Microsoft disrupts Nitol botnet and takes control of malware hosting domain

News by Dan Raywood

Microsoft has detailed a botnet it has named 'Nitol' that has infected computers via insecure supply chains.

Microsoft has detailed a botnet it has named ‘Nitol' that has infected computers via insecure supply chains.

According to Richard Domingues Boscovich, assistant general counsel of the Microsoft Digital Crimes Unit, it sought permission to disrupt 500 different strains of malware earlier this week.

According to report ‘operation b70', the Nitol botnet was hosted on the domain  ‘', which has linked to malicious activity since 2008 and contained 500 different strains of malware hosted on more than 70,000 sub-domains.

Boscovich said it found malware capable of remotely turning on an infected computer's microphone and video camera, recording keystrokes and carrying out distributed denial-of-service (DDoS) attacks, its primary function.

The report on operation b70 said that it purchased 20 computers from various cities in China and one was infected with Nitol, which was actively running and attempted to connect to a command and control (C&C) server.

Nitol infects users through removable media and mapped network shares, so once a removable media is connected to an infected computer, the malware copies itself and infects the new host. This can affect USB flash drives, external hard drives and/or mapped network shares.

Nitol is also selective about where it copies itself to the drives, as it picks directories that contain applications (.EXE, .DLL, .OCX files) and compressed file archives (RAR and .ZIP). Microsoft said that the Nitol developers knew this would result in a large number of files being copied to every directory on a drive, so they decided to hide the files with the file attributes SYSTEM/READ-ONLY/HIDDEN. Files with these attributes are considered ‘super hidden' and are not viewable by Windows Explorer by default.

Microsoft said that the reason Nitol copies itself to directories containing applications (primarily files with extensions .EXE) is to exploit the module loading process used by Windows when it runs applications. When an application is started, it is Windows that tries to find the file (on the application's behalf) in the application's directory first and if one is not found, then several other places are searched and then the process ends with a search in the Windows\System32 directory.

As Nitol's filename is LPK.DLL, applications will look for this in their current directory before any other place and Nitol will get loaded before the file (of the same name) provided by Microsoft in the System32 directory.

Microsoft has been granted an ex parte temporary restraining order against Peng Yong, his company and others and it has also taken control of the domain through its created domain name system (DNS).

However Yong, who owned the domain, told Associated Press that his company had a ‘zero tolerance' attitude towards illegal activity on the domain.

He said: “Our policy unequivocally opposes the use of any of our domain names for malicious purposes. We currently have 2.85 million domain names and cannot exclude that individual users might be using domain names for malicious purposes.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews