Microsoft finds new computers in China preinstalled with malware
The company said the malware was embedded inside counterfeit versions of its Windows OS
IDG News Service - Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday.
The malware, embedded in counterfeit versions of Microsoft's Windows OS, is engineered to spy on users and conduct denial-of-service attacks, Microsoft said. It warned that the findings pose fresh questions over the integrity of computer-part supply chains.
Cybercriminals "are out to get you," said Richard Domingues Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit. "They will do whatever it takes. If the supply chain is how they're going on get on [computers], that's what they're going to do."
Microsoft's investigation, dubbed "Operation b70," culminated with the shutdown of the command-and-control system connected to computers infected with "Nitol," a piece of malicious software called a rootkit preinstalled on some of the examined computers. Nitol quickly spreads via removable drives.
The company had led an aggressive drive against counterfeit software and botnets to try to stop the source of cybercriminal activity, much of which is targeted at Windows users due to the high use worldwide of the company's operating system.
Company investigators had Chinese nationals purchase 20 laptop and desktop computers from so-called "PC malls" in various Chinese cities. All of the machines had counterfeit copies of Windows XP or Windows 7, Boscovich said. Three computers contained inactive malware, but a fourth had a live piece of malware, "Nitol.A," that awoke when the computer connected to the Internet, he said.
The laptop was manufactured by Hedy, a large manufacturer based in Guangzhou, China, and purchased in Shenzhen. The other three computers with inactive malware were from "major manufacturers" but Microsoft is not identifying the brands, Boscovich said.
It is believed that the computers became infected after the devices left the factory. In China, many computers ship with just DOS, and an operating system is installed later. "Somewhere in that retail or wholesale supply chain, something happens," Boscovich said.
Consumers in Western countries may not be vulnerable to the kind of tampering, but they do face risks if they download counterfeit software from the internet, Boscovich said.
The malware discovery led to a larger investigation into the Nitol botnet, which was controlled through the domain "3322.org." The domain has been linked to malicious activity as far back as 2008, Boscovich said.
The 3322.org domain contained more than 500 strains of malware hosted on some 70,000 subdomains, Boscovich said. The malware hosted is capable of a range of malicious functions, from turning on a computer's microphone and video camera to logging keystrokes, according to a Microsoft blog post.
Microsoft obtained permission on Sept. 10 from the U.S. District Court for the Eastern District of Virginia to take control of the 3322.org domain. The company filed a civil complaint against Peng Yong, who owns the domain and his company Changzhou Bei Te Kang Mu Software Technology, also known as Bitcomm, and three other unnamed defendants. A hearing is set for Sept. 26.
Boscovich said Microsoft would like Yong to identify those people who have registered the malicious domains, as only he would hold that information since the websites are subdomains. "We are trying to reach out to him now," he said. "We are not necessarily alleging he is the one running the botnet."
Microsoft now controls 3322.org. Since the domain also hosts legitimate websites, Microsoft is using DNS (Domain Name System) software from Nominum that will allow legitimate traffic to subdomains of 3322.org but halt traffic to the 70,000 hosted websites that are harmful, a process known as "sinkholing."
Using the DNS in this way is a new, state-of-art approach, said Craig Sprosts, general manager for fixed broadband for Nominum, which provides DNS services for service providers including Verizon, Comcast and BT. The advantage is that websites that aren't doing anything illegal will continue to run.
"This operation is somewhat unique," Sprosts said. "There have been domain take downs, but this one was kind of surgical strike."
As far as the infected computers, Microsoft will notify ISPs who have infected customers, which then can take action to cleanse the computers of malware.
Send news tips and comments to firstname.lastname@example.org
- Getting Real About Management and "Big Data" It's an exciting yet daunting time to be a security professional. Security threats are becoming more aggressive and voracious. Governments and industry bodies...
- The Big Data Security Analytics Era Is Here Security management must be based upon continuous monitoring and data analysis for situational awareness and data-driven security decisions. Organizations have entered the era...
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- How JPMorgan Chase Adopted DMARC to Stop Cyberattacks and Protect their Brand When JP Morgan Chase decided to take action against phishing attacks, the problem turned out to be much bigger than anticipated. Learn how,...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the Arcserve team will...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!