Nitol Takedown: How ThreatSTOP can help identify affected machines.

There's a lot of noise out there about "Nitol" and the takedown. What, exactly, does that mean to you?

Before we get into that, let’s do a quick re-cap on what has happened:

Microsoft received a court order to allow them to redirect all subdomains of a dynamic DNS provider called 3322.org. This enabled Microsoft to block tens of thousands of domain names that were being used to serve up malware and commit cybercrime. Now, instead of DNS requests for anything in 3322.org getting resolved by 3322.org's servers, they’re being resolved via Microsoft's security group. This applies equally to any domain that is not hosting cybercrime that happened to use 3322.org so that they could provide dynamic DNS (required in order to run your own web or mail server if you have a dynamic IP address, as with a home Internet connection).

It was only a matter of time before action was taken against 3322.org, as it was widely known as a popular haven for Malware authors and unresponsive to researchers and operators seeking to have malware domains shut down.

You can read more here:

Official Microsoft Blog

Krebs on Security

Full Set of Legal Docs

Now, what does this mean for you?

For starters, Microsoft has been granted quite a bit of power…and any connections from your network to anything in 3322.org and its subdomains will either be resolved, or not, based on what Microsoft decides. Currently, it appears that Microsoft’s approach is only intercepting some of the domain names, and recursively resolving the rest through the actual 3322.org nameservers.

In theory, this should only interfere with the malicious domains and do nothing to the legitimate ones. In order to be effective, the list of domains Microsoft is using MUST be accurate (ensuring no false positives), and the domain names Microsoft is intercepting must be the only names the malware uses. The first case seems to be true, but the second is problematic, as it has been our experience that most malware uses multiple ways to call home, and usually multiple domain names.

Gunter Ollmann of Damballa has a very good post discussing the issue with this sort of incomplete takedown.

There have been some problems with MX (mail exchanger, how the Internet routes e-mail) lookups, which have resulted in e-mail to legitimate sub-domains of 3322.org not being deliverable.  Microsoft is working to resolve them. Aside from this, there are many policy issues involved that are under discussion, but out of the scope of this post. If you want to learn more about that, Suresh Ramasubramanian has a very detailed discussion in his blog post.

So, what is ThreatSTOP doing about it?

Currently, ThreatSTOP is propagating a block on the sinkhole that Microsoft is using to trap the botnet domains.

Those IPs are in our Sinkhole feed, but we can’t publicize exactly which ones, due to reasons of confidentiality.

What this will do is stop connections to sinkholed domains from completing, and give you a log of when a system in your network tried to connect to those domains. The IP address that will show as making the attempted connection in your ThreatSTOP reports is the compromised endpoint.

If you are not a ThreatSTOP subscriber, you can use our ThreatCHECK tool on a system you are concerned about, or log all connections outbound on your firewall, and use our Sinkhole Check tool to see if you had any connections to known Sinkholes.

If you see connections to anything on our Sinkhole feed, you should consider that system as infected. Systems that are infected with Malware should be RE-INSTALLED. Cleaning can never guarantee removal of all malware, since, once they get control of a system, cybercriminals install custom software that antivirus may never get a signature for. If you want to know exactly WHICH malware a given sinkhole represents, please contact us.  If you need help, we’re here for you! Don't hesitate to contact our support.

ThreatSTOP is actively involved in the security community, and works tirelessly to keep our data up to date, so you can stay ahead of the latest threats such as this one. If you aren’t familiar with ThreatSTOP then consider a trial on your firewall today.

Share this: