Home / Blogs

Nitol and 3322.org Takedown by Microsoft

Gunter Ollmann

Reading this morning's blog from Microsoft about "Operation b70” left me wondering a lot of things. Most analysts within the botnet field are more than familiar with 3322.org — a free dynamic DNS provider based in China known to be unresponsive to abuse notifications and a popular home to domain names used extensively for malicious purposes — and its links to several botnets around the world. So it was a surprise to hear that Microsoft was able to team up with Nominum to usurp control of the 3322.org domain (zone) and effectively block the known malicious domains, while other regular users can carry on with their business or businesses.

Microsoft presented the need to take control of this cluster of malicious domains as a necessary action against the Nitol botnet and to protect and secure the supply chain. While I don't quite understand all of the logic behind this argument (there's just not enough info public at this point in time), at the end of the day Microsoft have managed to remove a thorn from the community's side.

The Nitol botnet is, in general terms, bothersome but not a wide scale threat. Damballa Labs has been tracking the threat for quite some time and, as botnets go, is a rather small and tired affair. If you're a victim of Nitol though, yes, it's a pain-in-the-bum DDOS agent.

The 3322.org angle is much more interesting to me than the Nitol botnet that formed the legal excuse for being able to seize control of the domain.

From a Damballa Labs perspective, we currently track around 70 different botnets that currently leverage 3322.org's DNS infrastructure for C&C resiliency — using a little over 400 different third-level domain names of 3322.org. With a bit of luck I'll have some size information about those botnets later today.

Will the usurping of 3322.org kill these botnets? Unfortunately not. There may be a little disruption, but it's more of an inconvenience for the criminals behind each of them. Most of these botnets make use of multiple C&C domain names distributed over multiple DNS providers. Botnet operators are only too aware of domain takedown orders from law enforcement, so they add a few layers of resilience to their C&C infrastructure to protect against that kind of disruption.

Take Nitol for example — it employs multiple domains from several free dynamic DNS providers, including other four-digit .ORG domain services such as 6600.org, 7766.org, 2288.org and 8866.org.

The story isn't over…

By Gunter Ollmann, Chief Technology Officer at IOActive. More blog posts from Gunter Ollmann can also be read here.

Related topics: Cybercrime, DDoS, DNS, Domain Names, Malware, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

General Availability Period for New .RED Top-Level Domain Opens

General Availability Period for New .BLUE Top-Level Domain Opens

General Availability Period for New .PINK Top-Level Domain Opens

New Chinese "Mobile" Top-Level Domain Now Available

New .KIM Domain Goes Live

Welcome .SHIKSHA! General Availability Now Open

Adrian Kinderis Appointed as Chair of Domain Name Association

Internet Reaches 271 Million Domain Names in the Fourth Quarter of 2013

Why We Decided to Stop Offering Free Accounts

The Future of Chinese Domain Names (a Panel Discussion)

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Afilias Chairman Appointed to Domain Name Association Board

.BUILD Enters Landrush with Support of ARI Registry Services

Dyn Acquires Managed DNS Provider Nettica

Radix Awards Contracts for .website, .host, .space, and .press to CentralNic plc

Afilias Welcomes "Dot Chinese Online" and "Dot Chinese Website" Top-Level Domains to the Internet

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Sponsored Topics