Microsoft reaches agreement with web host linked to counterfeit Windows botnet

Microsoft has announced it has reached a settlement with the domain hosting firm responsible for hosting the Nitol botnet.

Microsoft struck a deal which will see 3322.org operator Peng Yong work with it and Chinese authorities to prevent his hosting company from supporting the infrastructure of the Nitol botnet. The settlement ends a lengthy Microsoft investigation into Chinese counterfeit Windows PCs.

"Fighting botnets will always be a complex and difficult endeavour as cyber criminals find new and creative ways to infect peoples' computers with malware, whether for financial gain or other nefarious purposes," said assistant general counsel for Microsoft Digital Crimes Unit, Richard Boscovich in a blog post.

"However, those working to combat cyber crime continue to make progress, and Microsoft remains committed to protecting its customers and services and to making it difficult for cyber criminals to take advantage of innocent people for their dirty work."

Last month, Microsoft announced the discovery of a counterfeit Windows PCs which were selling in China with pre-installed with malware.

The company found that consumers in China were purchasing knockoff Windows machines pre-packaged with the Nitol botnet during an investigation into PC supply chain lines in early September.

Nitol would carry out a distributed denial of service (DDoS) attack on systems and create backdoor access for more malware to cripple a user's computer. Microsoft discovered that Nitol was being supported by 3322.org and attempted to shut down the domain provider.

Yong will now work with the Chinese Computer Emergency Response Team (CN-CERT) to make sure 3322.org is no longer used to host botnets.

Yong will send any "black-listed" domains to CN-CERT where they will be moved to a sinkhole set up by the Chinese authorities. The 3322.org owner will also be obligated to help anyone affected by the Nitol botnet by fixing their systems.

Yong defended his company when news of the Nitol botnet first broke, claiming that 3322.org opposed hosting illegal content, but the size of its user base made it hard to police content.

Microsoft has begun notifying victims of the Nitol botnet by sharing infected IP information with the Shadow Server Foundation. The foundation is a group of volunteer internet security staff who gathers and track potential malware threats.