Open the bubble wrap on a new PC and the one thing no one ever expects to find pre-loaded is malware. But that’s exactly what researchers at Microsoft’s Digital Crimes Unit (DCU) discovered in four of 20 computers they purchased randomly at popular electronics stores in China.
Particularly alarming, says the DCU, is that one of the four was infected with Nitol, a Trojan known for gathering information from the compromised computer, establishing remote access, and then connecting to a command-and-control server. In the case of the DCU-purchased PC, it did exactly that as soon as an Internet connection was established.
Similarly, as soon as a USB drive was plugged into the computer, the malware immediately infected the drive, a clear indication, says the DCU, that the malware was specifically designed to spread quickly. (Here’s a video showing Nitol infecting a clean USB drive.)
Microsoft blames what it calls an unsecure supply chain which, it says, was responsible for not only the malware infections but also the fact that all 20 computers–10 laptops and 10 desktops–contained counterfeit operating systems.
"We also had issues with the computers’ antivirus software," says Richard Domingues Boscovich, assistant general counsel for DCU. "It would identify the malware, then say that it had cleaned it out when, in fact, it had done nothing." The antivrus software was of local origin and only used by Chinese consumers, he adds, and not from a large, popular brand.
Boscovich says the unsecure supply chain issue is the result of a system in which original equipment manufacturers (OEMs) ship computers with only DOS or a temporary operating system that is then replaced by resellers who install a counterfeit operating system that may be malware-infected.
"This isn’t an issue in the U.S. where software is pre-installed at the factory and then sold through authorized retailers," he says. "But in other parts of the world–not only China–the intensity of the problem can vary widely."
While the Nitol-infected laptop was built by Hedy, a Guangzhou, China-based OEM, Boscovich says the DCU "isn’t revealing who the makers of the other three malware-infected PCs are. All I can say is they are all well-known multinational manufacturers."
In his blog, Boscovich describes how the DCU’s efforts–codenamed "Operation b70" which began in August 2011–uncovered that the Nitol botnet was being hosted on a Web domain known as 3322.org "which contained a staggering 500 different strains of malware hosted on 70,000-plus sub-domains." One piece of malware, he says, was capable of turning on an infected computer’s microphone and webcam, potentially giving a cybercriminal both eyes and ears into a victim’s home or business.
Earlier this month, Microsoft obtained a temporary restraining order against 3322.org that allows Microsoft to host the domain, enabling the company to block operation of the Nitol botnet.
"While the Nitol malware doesn’t seem to be particularly dangerous," says Matthew Green, assistant research professor at the Johns Hopkins Information Security Institute, "it’s very concerning to me that computers may be shipping with malware pre-installed, especially when you think of other malware–like Stuxnet and Flame–and consider the kind of serious cyberattacks possible."
Green observes that while Microsoft was able to reroute the 3322.org domain name to a server it controls this time, he fears the next generation of malware will be "much less trusting of the domain name system and will either have the IP addresses of the servers it needs to connect to hard-coded in or will find some other way to communicate with its controls servers. I’m afraid this is only going to push people to develop more advanced malware."
Paul Hyman is a science and technology writer based in Great Neck, NY.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment