Microsoft took over the website in September, its fifth disruptive action against malware as part of its Project MARS (Microsoft Active Response for Security) initiative. After looking into whether pirated copies of Windows were making their way onto PCs in the production process in China, the discovery of pre-installed malware prompted a legal action and technical offensive that Microsoft codenamed Operation b70, targeted at cutting off Nitol and other malware at its host.
Microsoft successfully won a lawsuit filed with a Virginia District Court to seize control of a Chinese server called 3322.org, a site well-known for its ties to cybercrime. During the legal battle, Microsoft was filtering out legitimate data and blocking traffic generated by the viruses.
Now, Yong has agreed to cooperate. Any subdomain that Microsoft has identified as malicious will now be added to a "block-list" and sent to a sinkhole computer designed and managed by CN-CERT. Yong has also agreed to add subdomains to the block-list, as new 3322.org subdomains associated with malware are identified by Microsoft and CN-CERT. He will also help identify the owners of infected computers in China and assist those individuals in removing malware infection from their computers.
"We believe the action against the Nitol botnet was particularly effective because it disrupted more than 500 different strains of malware – potentially impacting several cybercriminal operations," said Richard Boscovich, assistant general counsel in Microsoft's Digital Crimes Unit, in a blog post. He added that in the 16 days since Microsoft began collecting data on the 70,000 malicious subdomains that it identified at 3322.org, it has been able to block more than 609 million connections from more than 7,650,000 unique IP addresses.