Homepage Sophos newsroom
Register as BUSINESS Register as PR AGENCY Register as JOURNALIST

Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China

Announcement posted by Sophos 16 Oct 2012

Blog post by Paul Ducklin, Sophos
Just over two weeks ago, we wrote enthusiastically about Microsoft's legal action against 3322 dot org.

The domain 3322 dot org is what's known as a dynamic DNS service, run by a chap called Peng Yong, serving the Chinese market.

DNS is the system that turns domain names into IP numbers on the internet, so you can type in sophos.com, and your PC can work out it needs to navigate to 195.171.192.217.

If you're not running any servers, you don't really need a fixed IP number or a human-friendly domain name for your computer. No-one is going to connect to your PC, so you don't need to show up at a consistent location online. That means your ISP can issue you a new IP number each time your modem reconnects. This is a handy thing to do, because IP numbers are in short supply these days. When you're offline, someone else can make use of the IP number that was previously issued to you.

Of course, if you have a dynamic IP number - as most home users and many small businesses do - and you do want to run a server, you have a problem. You need a name for your computer - specifically, a Fully Qualified Domain Name (FQDN) - and you need someone who will provide DNS lookups for your FQDN, yet be willing to update its DNS database quickly any time your IP number changes. Dynamic DNS companies give you both these things, often for free.

As you can probably imagine, cybercrooks love dynamic DNS: a potentially unlimited supply of domain names that they can move around the internet at will.

That puts a big onus on dynamic DNS providers to limit the extent to which their services are abused by crooks. The crux of Microsoft's legal action was that the cybercrime situation on Mr Peng's domain was out of control, and thus that 3322.org should be taken off him and handed over to someone more responsible. The goal was to disrupt the criminal activity on 3322 dot org, notably the operation of a raft of botnets of Nitol-infected computers.

The legal action is now officially over. Peng Yong, it seems, has agreed to numerous conditions in return for getting his domain back, including:

  • Kicking off FQDNs already identified as malicious, based on a blocklist provided by Microsoft and the Chinese Computer Emergency Reposnse Team (CERT);
  • Adding new FQDNs to the blocklist when they are identified as malicious by Microsoft or the Chinese CERT; and
  • Helping people clean up their PCs if they are infected with malware related to FQDNs which used his service.

You can argue that this is too little, too late: that Mr Peng is simply agreeing to do now what he ought to have been doing all along; that the crooks will find another haven; that the overall effect will be insignificant; and so forth.

But you have to start somewhere. In Redmond's own words:

We're very pleased by this outcome, which will help guarantee that the 70,000 malicious subdomains associated with 3322.org will never again be used for cybercrime. Of note, in the 16 days since we began collecting data on the 70,000 malicious subdomains, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322 dot org subdomains.

You may get nowhere if you try to empty a swimming pool with a thimble, but if you don't even try, you will get nowhere.

So, well done to Microsoft for forcing a result here.