Microsoft finds malware hidden in new computers in China

Discovery leads to investigation and disruption of Nitol botnet and attempt to shut down subdomains linked to more than 500 types of malware.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
3 min read
Nitol infections are primarily in China, according to this map from the Microsoft study.
Nitol infections are primarily in China, according to this map from the Microsoft study. Microsoft

Microsoft has found malware on new computers its employees purchased in various cities in China as part of an investigation into the security of the supply chain. That finding led researchers to a botnet called Nitol and a court order giving the company permission to take technical measures to disrupt the botnet.

The effort, dubbed Operation b70, began in August 2011 when it decided to see if there was any merit to claims that counterfeit software and malware were being installed on computers by suppliers before they hit the retail shelves in China. So, the company had employees go into stores and buy 10 laptops and 10 desktop computers.

"We went into what they call 'PC Malls.' We wanted to get a sampling of what an average consumer in China would get," Richard Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit, told CNET in an interview today. "We were surprised how quickly we were able to find something to back up the suspicion."

The researchers discovered that four of the 20 computers came pre-loaded with malware, including some that was capable of spreading through USB flash drives. One was infected with the Nitol virus, which installs a backdoor on computers so they can be used as part of a botnet to send spam or attack Web sites. Another computer had the Trafog backdoor that allows an attacker remote access via File Transfer Protocol (FTP). The third had Malat, which is an Internet Relay Chat (IRC) backdoor and the fourth was EggDrop, which Microsoft said is suspicious but not necessarily malicious, according to the report that is accessible on this Microsoft blog post.

The malware was not active, except for Nitol, which was actively running and had attempted to connect to a command-and-control server on a domain owned by a Chinese company, 3322.org, that has been linked to malicious activity since 2008, Boscovich said.

Microsoft this week was granted permission by federal court in eastern Virginia to use a sinkhole technique to trick infected computers into communicating with researcher-controlled servers instead of command-and-control servers on the nearly 70,000 subdomains hosting 565 types of malware, he said. Some of the malware was capable of doing lots of nasty things, including remotely turning on microphones and video cameras, recording key strokes, and stealing data in other ways, the company said.

Microsoft has requested a temporary restraining order (TRO) against the owner of the domain and "John Does" representing owners of the subdomains. There is a hearing is scheduled for September 26 in the case and Boscovich said the company is hoping to convince the owner of 3322.org to reveal the identities of whoever registered the affected subdomains.

In response to the granted TRO, the Public Internet Registry, as the registrant for all .org domains, began pointing the 3322.org domain, which hosts the Nitol botnet, to Microsoft's newly created domain name system, Microsoft said. This system enabled the company to block operation of the Nitol botnet and the 70,000 malicious subdomains hosted on the 3322.org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption.

As far as the pre-loaded malware problem, Boscovich said policy makers need to realize there are problems and do something to make sure that the supply chain is secure.

"Apparently, what happens is the operating system is installed somewhere between the wholesaler and the retailer and it's possible that somewhere in there malware was introduced," he said.