Microsoft researchers in China investigating the sale of counterfeit software found malware pre-installed on four of 20 brand new desktop and laptop PCs they bought for testing. They found forged versions of Windows on all the machines.
The worst piece of malicious software they found is called Nitol, an aggressive virus found on computers in China, the US, Russia, Australia and Germany. Microsoft has even identified servers in the Cayman Islands controlling Nitol-infected machines.
All these affected computers become part of a botnet – a collection of compromised computers – one of the most invasive and persistent forms of cybercrime
The findings were revealed in court documents unsealed on Thursday in a federal court in Virginia. The records describe a new front in a legal campaign against cybercrime being waged by the maker of the Windows operating system, which is the biggest target for viruses.
The documents are part of a computer fraud lawsuit filed by Microsoft against a web domain registered to a Chinese businessman named Peng Yong.
The company says it is a major hub for illicit internet activity. The domain is home base for Nitol and more than 500 other types of malware, making it the largest single repository of infected software that Microsoft officials have ever encountered.
Peng, the owner of an internet services firm, said he was not aware of the Microsoft lawsuit but he denied the allegations and said his company did not tolerate improper conduct on the domain, 3322.org.
Three other unidentified individuals accused by Microsoft of establishing and operating the Nitol network are also named in the suit.
What emerges most vividly from the court records and interviews with Microsoft officials is a disturbing picture of how vulnerable web users have become, in part because of weaknesses in computer supply chains.
To increase their profit margins, less reputable computer manufacturers and retailers may use counterfeit copies of popular software products to build machines more cheaply.
Plugging the holes is nearly impossible, especially in less regulated markets such as China, and that leaves openings for cybercriminals.
Paul Davis, director of Europe at security company FireEye, said hackers had upped their game and taken cybercrime to the next level.
“According to Microsoft, some of the malware was capable of remotely turning on an infected computer’s microphone and video camera, posing a serious cyber espionage issue for consumers and businesses alike,” he said.
“If the exploitation of supply chain vulnerabilities should become an emerging trend, it should be taken very seriously indeed, as it the impact could be far-reaching, costly and destructive.
“When people buy a new PC, they often expect that machine to be secure out of the box. The fact that malware is being inserted at such an early stage in the product lifecycle turns this on its head and unfortunately means that no matter how discerning a user is online, their caution becomes irrelevant if that PC is already tainted.”
Mark James, technical team leader at UK security company ESET, said that apart from installing the operating system yourself, as well as good antivirus software, there was not a lot users would do to protect against this type of abuse.
“If the machine is already infected and talking to the outside world, the end user may be unaware and accept any strange occurrences as normal for a new machine,” he said.
“Often the end user notices when a new machine becomes infected and slower, but in this scenario, may not until a specific problem arises. I would hope a business environment would have a procedure in place to test new machines for any kind of infection before it was added to the domain or work environment using a good antivirus program.”
Nitol, meanwhile, appears poised to strike. Infection rates have peaked, according to Patrick Stratton, a senior manager in Microsoft’s digital crimes unit who filed a document in the court case explaining Nitol and its connection to the 3322.org domain.
For Microsoft, pursuing cybercriminals is a smart business – the Windows operating system runs most of the computers connected to the internet.
Victims of malware are likely to believe their problems stem from Windows instead of a virus they are unaware of, and that damages the company’s brand and reputation.
The investigation by Microsoft’s digital crimes unit began in August 2011 as a study into the sale and distribution of counterfeit versions of Windows.
Microsoft employees in China bought 20 new computers from retailers and took them back to a home with a web connection.
They found forged versions of Windows on all the machines and malware pre-installed on four. The one with Nitol, however, was the most alarming because the malware was active.
“As soon as we powered on this particular computer, of its own accord without any instruction from us, it began reaching out across the internet, attempting to contact a computer unfamiliar to us,” Stratton said in the document filed with the court.
Stratton and his colleagues also found Nitol to be highly contagious. They inserted a thumb drive into the computer and the virus immediately copied itself onto it. When the drive was inserted into a separate machine, Nitol quickly copied itself on to it.
Microsoft examined thousands of samples of Nitol, which has several variants, and all of them connected to command-and-control servers associated with the 3322.org domain, according to the court records.
“In short, 3322.org is a major hub of illegal Internet activity, used by criminals every minute of every day to pump malware and instructions to the computers of innocent people worldwide,” Microsoft said in its lawsuit.
Peng, the registered owner of 3322.org, said he had zero tolerance for the misuse of domain names and works with Chinese law enforcement whenever there are complaints. Still, he said, his huge customer base made policing difficult.
“Our policy unequivocally opposes the use of any of our domain names for malicious purposes,” Peng said in a private chat via Sina Weibo. “We currently have 2.85m domain names and cannot exclude that individual users might be using domain names for malicious purposes.”
3322.org accounted for more than 17% of the world’s malicious web transactions in 2009, according to Zscaler, a computer security firm in San Jose. In 2008, Russian security company Kaspersky Lab reported that 40% of all malware programs, at one point or another, connected to 3322.org.
US district judge Gerald Bruce Lee, who is presiding in the case, granted a request from Microsoft to begin steering web traffic from 3322.org that has been infected by Nitol and other malwares to a special site called a sinkhole.
From there, Microsoft can alert affected computer users to update their anti-virus protection and remove Nitol from their machines.
Since Lee issued the order, more than 37m malware connections have been blocked from 3322.org, according to Microsoft.
• The headline and text of this article were updated on 19 September 2012 to clarify that Microsoft found that, rather than malware being pre-installed at factories, it was being loaded on to computers after they were shipped to a distributor, transporter or reseller.