Pre-installed malware in production lines spurs Microsoft's 3322.org takedown

The situation is far from widespread—that we know of, anyway. But Microsoft digital crime investigators bought several PCs, desktops and laptops from stores in different cities in China. Shockingly, they found that 20% were already infected with Nitol botnet, which has most effectively been used for stealing user and password information to compromise online bank accounts.

The discovery was made as investigators were looking into whether Chinese manufacturers are installing pirated or counterfeit Windows software on PCs, and found that cybercriminals are infiltrating unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers.

There were other malicious programs that were found in addition to Nitol. "We found malware capable of remotely turning on an infected computer's microphone and video camera, potentially giving a cybercriminal eyes and ears into a victim's home or business," said Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft's digital crimes unit.

The team also found malware that records a person's every keystroke, allowing cybercriminals to steal a victim's personal information.

"The cybercriminals are really changing the ways they try to attack you," Boscovich said.

The whole business prompted a legal action and technical offensive that Microsoft codenamed Operation b70, targeted at cutting off Nitol and other malware at its host. Microsoft successfully won a lawsuit filed with a Virginia District Court to seize control of a Chinese server called 3322.org, a site well-known for its ties to cybercrime. The domain hosts 70,000 separate sub-domains used by 500 separate strains of malware. Microsoft is now filtering out legitimate data and blocking traffic generated by the viruses.

“Most analysts within the botnet field are more than familiar with 3322.org – a free dynamic DNS provider based in China known to be unresponsive to abuse notifications and a popular home to domain names used extensively for malicious purposes – and its links to several botnets around the world,” said Gunter Ollmann, CTO and vice president of research at Damballa.

“In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet, our second botnet disruption in the last six months,” Microsoft said in its blog.

Ollman, however, is more skeptical of the malware’s prospects for eradication: “Will the usurping of 3322.org kill these botnets? Unfortunately not. There may be a little disruption, but it’s more of an inconvenience for the criminals behind each of them. Most of these botnets make use of multiple C&C domain names distributed over multiple DNS providers. Botnet operators are only too aware of domain takedown orders from law enforcement, so they add a few layers of resilience to their C&C infrastructure to protect against that kind of disruption.”

 

What’s Hot on Infosecurity Magazine?