Comments on: Microsoft Disrupts ‘Nitol’ Botnet in Piracy Sweep

By: Suresh Ramasubramanian

Suresh Ramasubramanian — Tue, 18 Sep 2012 10:22:08 +0000

“Unnamed”? The people complaining so far do have a rather long track record in security, and certainly aren’t anonymous.

Action needed to be taken. Whether siezing the domain through a court order and proxying dns requests for it was, or was not a bad idea .. well, this could have been handled a lot better.

http://www.circleid.com/posts/20120917_microsoft_takedown_of_3322_org_a_gigantic_self_goal/

By: gonosenno kata

gonosenno kata — Tue, 18 Sep 2012 02:15:17 +0000

Great article Brian. The Nitol “takedown” is much much bigger than ridding the Internet of some run of the mill botnet. This is counter-cyberespionage gold.

By: AlphaCentauri

AlphaCentauri — Sat, 15 Sep 2012 03:55:40 +0000

The effect of this court order may not be that significant. But if no one takes any action against organizations that tolerate criminal activity on their networks, you end up with the situation we’ve got now where criminals operate so openly that they can amass huge botnets that constitute a threat to normal internet operations.

A court order that affects one company may cause a dozen others to give a little more thought to how they conduct their business. Even if the criminal activity were just driven a little farther underground, maybe the rest of us wouldn’t have 90% of the unfiltered email in our inboxes coming from criminals instead of people we know. Criminals ought to at least feel a need to be stealthy.

By: SeymourB

SeymourB — Fri, 14 Sep 2012 18:15:20 +0000

I was unaware that posting comments on this site required prior experience shuttering large-scale botnets. I assume that you have the necessary experience? If so, why are you posting here when Nitol is still in the wild? Go, man, go, for the good of the internets!

Like clubbing one baby seal doesn’t kill all baby seals, shuttering one domain isn’t going to have any kind of long-term affect on malware that’s coded to use multiple DDNS providers.

Just because you don’t like the ugly reality of the situation we’re all in doesn’t change reality.

By: Nic

Nic — Fri, 14 Sep 2012 17:05:11 +0000

“While it is nice that they took action, it would have been better if they had done a more thorough investigation of how the botnet operates when 3322 is shut down, then investigate what happens when the next DDNS site is shut down, and so on, then perform a takedown of all sites.”

Is this what you have done wrt other botnets? If so I would love to read about it.

Or do you know security researchers who have done this wrt other botnets? If so, I would love to read about it.

As far as I know, abuse.ch (one of the best in the biz) is about the only security researcher actually doing the kind of work you describe. He also never complains (AFAIK) when Microsoft shuts down a botnet. My hunch is that the unnamed security researchers who complain about botnets getting shut down only do so because they have a financial incentive to keep botnets around: their investigations are worth a pretty penny to multinational corporations with more money than they know what to do with, and shutting down botnets shuts down the gravy train.

By: wiredog

wiredog — Fri, 14 Sep 2012 11:27:04 +0000

You probably caught this on the news this morning:
http://www.nbcwashington.com/news/local/ATM-Skimmer-169624676.html

By: SeymourB

SeymourB — Fri, 14 Sep 2012 06:51:40 +0000

While it is nice that they took action, it would have been better if they had done a more thorough investigation of how the botnet operates when 3322 is shut down, then investigate what happens when the next DDNS site is shut down, and so on, then perform a takedown of all sites.

As it is, botnets and malware will route around the single domain seizure and, over time, little will come of this. In other words, while there is a current hit in traffic, it will pick up as malware fails to contact its masters and moves on to backup C&C systems on other domains.

On the other hand, who knows, maybe Microsoft is planning on asking the judge to grant it control of the other domains next.

By: Scott S

Scott S — Fri, 14 Sep 2012 00:12:47 +0000

Now that’s an interesting article IMO, and it will be interesting to see what MicroSoft does in regards to ridding the world of counterfeit versions of it’s Windows.

By: dan

dan — Thu, 13 Sep 2012 20:00:50 +0000

waldec and kelihs are the same botnet
they only took down the public version of rustock
none of the zeus campaigns were P2P

By: PC.Tech

PC.Tech — Thu, 13 Sep 2012 19:29:38 +0000

- https://blog.damballa.com/archives/1806
Sep 13, 2012 – “… Nitol… employs multiple domains from several free dynamic DNS providers, including -other- four-digit .ORG domain services such as
6600 .org, 7766 .org, 2288 .org and 8866 .org…”

(Highly recommend blocking those addresses also, if you haven’t already.)
.