Nitol Botnet Shares China Code

Monday, October 22, 2012 @ 10:10 AM gHale


Code used by the Nitol malware family appears copied from free malware resources hosted on Chinese websites, Microsoft officials said.

Microsoft posted portions of the code online where similar lines used for denial of service attack functionality are present in Nitol and on the sites in question.

RELATED STORIES
Spam becoming more Realisitic
Romney Emails Lead to Blackhole
Get Ready for Election Spam
Botnet Scans Net for Weak VoIP Servers

Nitol.A and Nitol.B also resemble malware used by the IMDDOS and Avzhan botnets, both of which, like Nitol, carry out distributed denial-of-service attacks (DDoS), said Rex Plantado, an antivirus researcher at Microsoft. Nitol.A and Nitol.B are the most active variants of the Nitol family.

Microsoft just took down the Nitol botnet after the software giant gained permission by the U.S. District Court for the Eastern District of Virginia to take control of the 70,000 sub domains hosting malware on the 3322.org domain.

Supply chain security has been and is even more so an important issue in the industry and Microsoft has been keeping its eye closely on the trend. Its latest Security Intelligence Report focused on malware compromising third-party suppliers and file-sharing networks and sites—and it reported in September it found Nitol malware pre-loaded on computers built in China running counterfeit versions of the Windows operating system. The 3322.org subdomains, meanwhile, were hosting more than 500 strains of malware, including DDoS malware, keyloggers, rootkits and more.

Microsoft found similar DDoS behavior in all the Nitol variants, despite some other variations. Most of the variants, Microsoft said, consist of a loader executable and a DLL dropped by the loader. The loader installs the DLL, named lpk.dll, as a NT service or legacy driver. Lpk.dll drops to every folder containing an executable, RAR or ZIP file on local or removable drives. When the DLL runs, it begins connecting to a command-and-control server; most of them reached out to the 3322.org domain located in China and taken down by Microsoft.

The compromised machines then issued commands to attack domains by a variety of means, including SYN, UDP, TCP, HTTP and ICMP floods. The C&C server can also send additional executables or updates to infected machines, or force a browser to surf to a compromised URL.

IMDDOS, or I’M DDOS, is a commercial DDoS attack service available for purchase from a China-hosted website. IMDDOS ended up uncovered two years ago by security company Damballa, and was one of the fastest-growing botnets, the company said, peaking at more than 25,000 recursive DNS lookups per hour for all its command and control domains. The service offers different pricing options and round the clock technical support.

Arbor Networks, meanwhile, followed up Damballa’s research with a look into a related malware family called Avzhan. Like IMDDOS, a Chinese IP controlled Avzhan and had similar install, attack engines and command and control capabilities as IMDDOS.

“One theory that comes to mind is that the developers of the IMDDOS family might have obtained the Avzhan source code and added the modifications necessary to evolve it into a more easily commercialized DDoS service,” Arbor said in its initial report on Avzhan. “At any rate, the commonalities between Avzhan and IMDDOS represent yet another data point that indicates how much sharing, re-using and/or borrowing of code takes place in the underground malware industry.”



Leave a Reply

You must be logged in to post a comment.