Microsoft: malware originates from computer manufacturing - Update

Microsoft has taken control of a domain that hosted the Nitol botnet. The malware infected machines during their manufacturing in Chinese factories.

Last week, Microsoft announced that they were conducting an operation targeting a botnet. This isn’t the first time that Microsoft has been instrumental in dismantling a botnet.

This time, the target was Nitol. The action was undertaken from both a technical and legal perspective, with Microsoft having obtained the right from a Virginia court to seize the domain 3322.org which hosted the botnet.

A new DNA system was created by Microsoft to block the botnet and close to 70 000 other malicious sub-domains hosted on 3322.org. This system allows all traffic coming from legitimate sub-domains to operate without any problem.

This initiative aims at disrupting the cyber criminals control over infected machines which attempt connecting to Nitol. Microsoft’s researchers have discovered that the cyber criminals managed to infiltrate unsecure manufacturing lines to introduce counterfeit software which contained the malware onto the Windows operating system.

According to Microsoft "the supply chain becomes unsecure when a reseller takes in stock from an uncertified source."

Such an event was seen on computers purchased by Microsoft’s investigators in various cities around China: "we purchased multiple new computers in China and the malware was already installed".

In reality, Microsoft extrapolates their information based on the purchase of 20 computers in China in August 2011. Four of these contained malware, including Nitol.

Numerous variants of Nitol exist. According to Microsoft, the malware is capable of signing infected machines up to the botnet to execute denial of service attacks and generate spam. It is also believed that passwords and other information could be stolen, the microphone and webcam can be activated to spy on users and other unwanted programs can be downloaded without the user’s agreement.

While the size of the Nitol botnet isn’t really known, the 70 000 malicious sub-domains hosted on 3322.org are used by 565 different types of malwares.

Update : The malware is loaded onto the computers before it reaches a customer or end purchaser. This means that the malware is loaded after the product is shipped by the original equipment manufacturer to a distributor, transporter, or reseller.