Microsoft has published evidence of an extraordinary conspiracy in which potent botnet malware was apparently installed and hidden on PCs during their manufacture in China.
In ‘Operation B70’ started in August 2011, Microsoft documents how its Digital Crimes Unit (DCU) bought 20 brand new laptops and desktop PCs from various cities in China, finding that four were infected with pre-installed backdoor malware, including one with a known rootkit called ‘Nitol’.
Tracing Nitol’s activity back to an extensive network of global command and control (C&C) servers, the team discovered that the malware that has infected PCs to build a larger bot, most probably used to launch DDoS attacks.
Once in situ, Nitol would spread beyond the PCs on which it had been pre-installed by copying itself to USB and other removable drives.
Disturbingly, other malware hosted on the main domain used as C&C by Nitol was capable of performing just about every nasty in the malware criminal’s armoury, including keylogging, controlling webcams, and changing search settings.
This hints at the disturbing possibility that the pre-installed malware tactic is almost certainly much more significant than previously realised.
That PCs are being pre-installed with malware during or soon after manufacture confirmed a long-held suspicion that had prompted Microsoft to investigate supply chain security, the firm said.
“What’s especially disturbing is that the counterfeit software embedded with malware could have entered the chain at any point as a computer travels among companies that transport and resell the computer,” Microsoft said in a blog introducing its investigations.
Anyone installing malware during manufacture – that is before any form of security is added – would have an important head start over security systems that might be installed on the PC at a later point. The only way around this would be for the customer to reinstall the operating system after purchase using a known secure image.
As PC malware scandals go this is about as bad as it gets; Operation B70 offers an unpleasant glimpse of the state of PC security and asks questions of the security of the supply chain.
Microsoft was earlier this week granted permission by a US court to take control of the C&C servers being used to direct the Nitol botnet.
Microsoft’s DCU has acquired a reputation for unwinding botnets. An earlier bot disruption assault called Operation B71, it disrupted servers being used to distribute the Zeus banking Trojan. In 2011, it played a critical role in knocking down the Rustock botnet.
Third parties can already gain access to the company’s global honeypot for monitoring botnets through an API.