Not far after Microsoft won a legal battle allowing them to seize control of a Chinese Internet service provider’s network compromised of over 70,000 malicious domains to crack down on piracy, more than 35 million unique Internet addresses attempted to contact those 70,000 domains.
Basically, this event is an unprecedented action from over 70,000 potentially infected systems to phone home to subdomains belonging to 3322.org, a site previously identified to control a Nitol malware threat pre-installed on many brand-new computers sold on the black market.
3322.org is a site that was found to be owned by a firm in China. The graphic below showing the distribution of malware using the 3322.org site speaks for itself. One could conclude that 3322.org is one busy site with a plethora of malware infections distributed, not just the Nitol malware threat. In all, the 3322.org site makes up a group of potentially compromised systems in a number much greater than any botnet (group of compromised computers) in history.
Distribution of Malware using 3322.org site – source: Microsoft
Microsoft first found that Nitol was just one infection found to be pre-installed with Windows on newly purchased systems in areas of China. Through the discovery, Microsoft later identified thousands of sites at 3322.org serving hundreds of other malware stains. Through this subsequent discovery, Microsoft attempted to convince a federal court in Virginia to get temporary control over portions of the dynamic DNS provider for this monstrous site base. Unfortunately, the effort fell through because the .org registry is run by a company based in Virginia. Despite the 3322.org site being owned by a firm in China, the .org registry ownership locality put an end to this effort.
One thing to note that helps us realize the vastness of 3322.org potentially malicious efforts, is that IP addresses are very dynamic and a single computer may have multiple IPs. That means those 70,000-plus domains observed by Microsoft reporting to 3322.org is a conglomerate of compromised PCs accounting for about 35 million unique IPs. Of those unique IPs, the number of infected computers could vary but still accounts for being larger than any other known botnet.
In a way, Microsoft’s actions to acquire control over a Chinese Internet service provider’s network, harboring over 70,000 malicious domains potentially responsible for pirating actions, has aggravated a seriously large ant bed. One of the unfortunate parts of this legal battle is that collateral damage is taking a toll on innocent sites and future investigations. It is almost like the casualties of a war that is ultimately won but at the expense of those who paid the ultimate price.
There are about 2.75 million subdomains hosted at 3322.org and the 70,000 domains that the court granted Microsoft to take control over makes up less than 3% of them. The balancing act of minimizing collateral damage has tipped the scale to one side, unfortunately. Until a scalpel is used in this so-called investigation, instead of a hammer, there will be some collateral damage while at the same time exposing what could be the largest group of compromised computers in history.