Last month, we reported about an operation conducted by Microsoft to disrupt the Nitol botnet. The operation, titled Operation b70 was a result of a study conducted by Microsoft which discovered pirated copies of Windows embedded with malware. As a part of the operation Microsoft’s Digital Crimes Unit had asked to be allowed to take control of the domain 3322.org which was used to host the botnet.
Assistant General Counsel for Microsoft Digital Crimes Unit,Richard Domingues Boscovich has stated in a blog post that they have reached a settlement with Peng Yong, operators of 3322.org domain. He states:
Today, I am pleased to announce that Microsoft has resolved the issues in the case and has dismissed the lawsuit pursuant to the agreement. As part of the settlement, the operator of 3322.org, Peng Yong, has agreed to work in cooperation with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to:
· Resume providing authoritative name services for 3322.org, at a time and in a manner consistent with the terms and conditions of the settlement.
· Block all connections to any of the subdomains identified in a “block-list,” by directing them to a sinkhole computer which is designated and managed by CN-CERT.
· Add subdomains to the block-list, as new 3322.org subdomains associated with malware are identified by Microsoft and CN-CERT.
· Cooperate, to the extent necessary, in all reasonable and appropriate steps to identify the owners of infected computers in China and assist those individuals in removing malware infection from their computers.
In accordance with the settlement, Peng Yong will work with Microsoft and Chinese Computer Emergency Response Team to remove all malware associated with the domain and bring to justice all those responsible for spreading the malware.
Richard also shared some statistics regarding the blocked domains.
Of note, in 16 days since we began collecting data on the 70,000 malicious subdomains, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org subdomains. In addition to blocking connections to the malicious domains, we have continued to provide DNS services for the unblocked 3322.org subdomains. For example, on Sept. 25, we successfully processed 34,954,795 DNS requests for 3322.org subdomains that were not on our block list.
The operation is a part of Microsoft’s larger MAPS program intended to provide protection to the users of its Windows operating system.