Using a ‘sinkhole’ to squash the Nitol botnet

Weeks after obtaining a temporary restraining order against the operators of the China-based domain, Microsoft has reached an agreement with the operators to “sinkhole” traffic to 70,000 malicious subdomains associated with the Nitol botnet.

Microsoft announced on Oct. 2 that is has dismissed its suit against Peng Yong, who operates the domain, in return for his help in blocking the traffic. The Chinese Computer Emergency Response Team (CN-CERT) also is cooperating in the effort.

The case originated when Microsoft’s Digital Crimes Unit found malicious code preinstalled on a computer bought in China, incorporated with several other types of malware into counterfeit copies of Windows XP and Windows 7. Because Nitol was actively running and attempting to connect with command and control servers in China and in California, Texas, Georgia and Pennsylvania in the United States, researchers were able to study it.

Microsoft said the malware was likely installed, not at the factory, but by distributors or resellers along the supply chain.

As part of the Microsoft Active Response for Security program (Project MARS), the company went to the U.S. District Court for the Eastern District of Virginia and on Sept. 10 was granted a temporary restraining order against Nitol’s operators, allowing it to host the domain that hosted the majority of malicious servers. The company reported that since Sept. 11 it has blocked more than 609 million connections from more than 7,650,000 unique IP addresses in the malicious subdomains.

Microsoft dismissed its suit Sept. 28 in exchange for Yong’s cooperation. He has agreed to block all connections to 70,000 subdomains on a Microsoft block list and direct them to a sinkhole computer operated by CN-CERT. So instead of communicating with their command-and-control servers, bots will be directed down the sinkhole.

Yong also will assist in identifying owners of infected computers and removing the malware.

This action, dubbed by Microsoft Operation b70, was the fifth such undertaken as part of Project MARS to disrupt botnets by legally attacking the underlying infrastructure.

“Fighting botnets will always be a complex and difficult endeavor,” Microsoft assistant general counsel Richard Domingues Bscovich wrote in the blog post. But recent cases show that the courts can be an effective weapon in that fight.


About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected