Microsoft has found several PCs, manufactured in China, to have had malware installed by cyber criminals.
Microsoft’s digital crimes unit stumbled across the malicious software during an investigation into Chinese manufacturers in August 2011.
Researchers purchased 20 computers, evenly split between laptops and desktops, which they found to be loaded with counterfeit versions of Windows software. Some 20% of these PCs were also infected with malware, one of which was the Nitol virus, which would contact the command and control system in order to steal data.
This virus in particular was investigated into and found that it spreads infection in many ways, including the distributed denial of service (DDOS) attacks, allowing a cyber criminal to run software on the victim’s computer.
The research, dubbed Operation b70, also found that the Nitol virus was developed to be spread through copying itself onto removable media including USB flash drives, external hard drives, zip/rar files, as well as mapped network shares.
“What’s especially disturbing is that the counterfeit software embedded with malware could have entered the chain at any point, as a computer travels among companies that transport and resell the computer,” stated Richard Boscovich, assistant general counsel, of Microsoft Digital Crimes Unit, in a blog post.
“So how can someone know if they’re buying from an insecure supply chain? One sign is a deal that appears too good to be true. However, sometimes people just can’t tell, making the exploitation of a broken supply chain an especially dangerous vehicle for infecting people with malware.”
Research into the Nitol virus over the past four years has found 500 different strains of malware, hosted on more than 70,000 sub-domains.
Boscovich details in his blog post how the Microsoft Digital Crimes Unit found ‘malware capable of remotely turning on an infected computer’s microphone and video camera, potentially providing eyes and ears into a victim's home or business, as well as malware that "records a person’s every key stroke, allowing cyber criminals to steal personal information."
A court in the US has given Microsoft permission to access the domain, 3322.org, which it believes is involved with the Nitol attacks. This will enable Microsoft to block the virus and nearly 70,000 other malicious sub-domains hosted on 3322.org.