Your PC May Come Pre-Loaded With Malware, Right Out Of The Box

By Alexandra Burlacu | Sep 14, 2012 01:26 PM EDT

Previous image Enlarge Close Next image

Share This Story

Cybercriminals have taken their battle to the next level and are now infecting computers right before they reach the end-consumers. According to a new Microsoft study, several brand-new computers were carrying malware that were loaded before it reaches a customer or end purchaser. This means that the malware is loaded after the product is shipped by the original equipment manufacturer to a distributor, transporter, or reseller.

One virus in particular, called Nitol, is especially dangerous, as it steals personal details to help hackers access online bank accounts. A U.S. court gave Microsoft permission to tackle the network of infected PCs.

In a report detailing its efforts to fight Nitol, Microsoft said that the cybercriminals behind the malware had exploited insecure supply chains to install malicious programs as the PCs were in production. Microsoft discovered the viruses when its team of digital crime investigators bought 20 PCs, 10 desktops and 10 laptops from different cities in China. Although the computers were fresh out of the factory, four of them were infected with malicious programs.

"What's especially disturbing is that the counterfeit software embedded with malware could have entered the chain at any point as a computer travels among companies that transport and resell the computer," Richard Domingues Boscovich, a lawyer for Microsoft's Digital Crimes Unit, wrote in a blog post.

Microsoft set up "Operation b70" to investigate the matter, and discovered that the four viruses were part of counterfeit software which some Chinese PC makers were installing on computers. Nitol was the most dangerous of the viruses Microsoft found. As soon as the computer was turned on, Nitol tried to contact the command and control system set up by its creators to steal data from infected devices.

Further probing found that the botnet behind Nitol was run from a Web domain that had been involved in cybercrime since 2008.That domain also included 70,000 separate sub-domains used by 500 separate strains of malware designed to trick people or steal data.

"We found malware capable of remotely turning on an infected computer's microphone and video camera, potentially giving a cybercriminal eyes and ears into a victim's home or business. Additionally, we found malware that records a person's every key stroke, allowing cybercriminals to steal a victim's personal information," added Boscovich.

"The Nitol botnet malware itself carries out distributed denial of service (DDoS) attacks that are able to cripple large networks by overloading them with internet traffic, and creates hidden access points on the victim's computer to allow even more malware - or anything else for that matter - to be loaded onto an infected computer."

Microsoft has now obtained permission from a U.S. court to seize control of the Web domain, 3322.org, which it found to be involved with the Nitol infections. This way, Microsoft can filter out legitimate data and block any traffic hijacked by malware. The domain's owner, Peng Yong, told the Associated Press (AP) that he was not aware of Microsoft's legal action, but his company had a "zero tolerance" policy regarding illegal activity on the domain.

"Our policy unequivocally opposes the use of any of our domain names for malicious purposes," he told the AP. Peng added, however, that the great number of users it had to monitor made it very difficult to make sure that all activity was legitimate. "We currently have 2.85 million domain names and cannot exclude that individual users might be using domain names for malicious purposes."

Microsoft filed suit in the Virginia District Court to take action against the Nitol botnet as part of its Project MARS program. The court has also given Microsoft an ex parte temporary restraining order against Peng Yong, his company, and others.

"Putting Microsoft in control of the 3322 dot org isn't going to save the world," said Paul Ducklin, an analyst with security firm Sophos. "But it is going to disrupt the control that the crooks currently enjoy over many already-infected PCs, as well as giving some useful intelligence and insight into the Nitol zombie networks. That will probably be handy for law enforcement operations in the future."