Microsoft applies 'surgical sinkhole' to strangle botnet installed on new PCs

14.09.2012
Microsoft has uncovered a vulnerability in the PC supply chain that allows hackers to pre-install malware-infected copies of Windows onto new machines.

As a result, the company has received approval from a federal court to strangle a botnet it uncovered during the investigation, which it conducted in China.

The company announced on Thursday that it was diverting traffic from the 3322.org domain to its own DNS (domain name system) servers to selectively block communications from PCs infected with the "Nitol" botnet to the hackers' command-and-control (C&C) machines.

It's also blocking access to approximately 70,000 malware-plagued subdomains of 3322.org, a Chinese web hosting firm. Other subdomains of 3322.org are resolving normally for users.

The tactic, called "sinkholing," isn't new to Microsoft's anti-malware efforts -- it's sinkholed other botnets -- most recently in March, when it disrupted networks that relied on the -- but a new twist lets it block the bad on 3322.org while letting the good through.

"We're always concerned about collateral damage," said Richard Boscovich, a senior attorney in Microsoft's digital crimes unit, in an interview yesterday. "3322.org has between 2.5 and 2.75 million subdomains, but only the 70,000 malicious subdomains will be sinkholed. The remaining will resolve."