In an operation named Operation b70, Microsoft was able to disrupt the Nitol botnet that was used to spread malware and launch DDoS attacks. The operation was carried out by Microsoft’s Digital Crimes Unit with the permission of U.S. District Court for the Eastern District of Virginia.
The operation was a result of a study conducted by Microsoft which discovered hackers selling pirated copies of Windows that was embedded with malware. They then got these copies into different unsecured (a distributor or reseller selling products from unconfirmed or unauthorized sources) supply chains for distribution. In the research, it was found that about 20% of pirated copies of Windows consisted of different types of malware.
These malware was used for a multitude of illegal purposes including stealing passwords, credit card information and even remotely turning on the microphone and webcam connected to the victim’s computer.
The computers that were part of the Nitol botnet was controlled by a Nitol command server. The DNS of the server was found to be provided by a rogue website called 3322.org which has been known to be a part of several targeted attacks in the past. With the successful takedown of 3322.org, Microsoft was also able to take down around 500 different strains of malware stored in 70,000 sub-domains of the rogue website.
The operation was part of Microsoft’s wider MAPS (Microsoft Active Response for Security) program which is intended to protect Windows users against malware. This is the second such action against botnets by Microsoft, which had taken down Zeus botnet earlier this year.