Microsoft finds new computers in China preinstalled with malware
The company said the malware was embedded inside counterfeit versions of its Windows OS
IDG News Service - Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday.
The malware, embedded in counterfeit versions of Microsoft's Windows OS, is engineered to spy on users and conduct denial-of-service attacks, Microsoft said. It warned that the findings pose fresh questions over the integrity of computer-part supply chains.
Cybercriminals "are out to get you," said Richard Domingues Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit. "They will do whatever it takes. If the supply chain is how they're going on get on [computers], that's what they're going to do."
Microsoft's investigation, dubbed "Operation b70," culminated with the shutdown of the command-and-control system connected to computers infected with "Nitol," a piece of malicious software called a rootkit preinstalled on some of the examined computers. Nitol quickly spreads via removable drives.
The company had led an aggressive drive against counterfeit software and botnets to try to stop the source of cybercriminal activity, much of which is targeted at Windows users due to the high use worldwide of the company's operating system.
Company investigators had Chinese nationals purchase 20 laptop and desktop computers from so-called "PC malls" in various Chinese cities. All of the machines had counterfeit copies of Windows XP or Windows 7, Boscovich said. Three computers contained inactive malware, but a fourth had a live piece of malware, "Nitol.A," that awoke when the computer connected to the Internet, he said.
The laptop was manufactured by Hedy, a large manufacturer based in Guangzhou, China, and purchased in Shenzhen. The other three computers with inactive malware were from "major manufacturers" but Microsoft is not identifying the brands, Boscovich said.
It is believed that the computers became infected after the devices left the factory. In China, many computers ship with just DOS, and an operating system is installed later. "Somewhere in that retail or wholesale supply chain, something happens," Boscovich said.
Consumers in Western countries may not be vulnerable to the kind of tampering, but they do face risks if they download counterfeit software from the internet, Boscovich said.
The malware discovery led to a larger investigation into the Nitol botnet, which was controlled through the domain "3322.org." The domain has been linked to malicious activity as far back as 2008, Boscovich said.
The 3322.org domain contained more than 500 strains of malware hosted on some 70,000 subdomains, Boscovich said. The malware hosted is capable of a range of malicious functions, from turning on a computer's microphone and video camera to logging keystrokes, according to a Microsoft blog post.
Microsoft obtained permission on Sept. 10 from the U.S. District Court for the Eastern District of Virginia to take control of the 3322.org domain. The company filed a civil complaint against Peng Yong, who owns the domain and his company Changzhou Bei Te Kang Mu Software Technology, also known as Bitcomm, and three other unnamed defendants. A hearing is set for Sept. 26.
Boscovich said Microsoft would like Yong to identify those people who have registered the malicious domains, as only he would hold that information since the websites are subdomains. "We are trying to reach out to him now," he said. "We are not necessarily alleging he is the one running the botnet."
Microsoft now controls 3322.org. Since the domain also hosts legitimate websites, Microsoft is using DNS (Domain Name System) software from Nominum that will allow legitimate traffic to subdomains of 3322.org but halt traffic to the 70,000 hosted websites that are harmful, a process known as "sinkholing."
Using the DNS in this way is a new, state-of-art approach, said Craig Sprosts, general manager for fixed broadband for Nominum, which provides DNS services for service providers including Verizon, Comcast and BT. The advantage is that websites that aren't doing anything illegal will continue to run.
"This operation is somewhat unique," Sprosts said. "There have been domain take downs, but this one was kind of surgical strike."
As far as the infected computers, Microsoft will notify ISPs who have infected customers, which then can take action to cleanse the computers of malware.
Send news tips and comments to firstname.lastname@example.org
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts