Brand-new PCs found preloaded with malware

Posted by Emma Woollacott

Microsoft has discovered that cybercriminals within the hardware supply chain have been pre-installing malware on PCs in China so that they were infected before they were even taken out of the box.

Retailers, the company discovered, were selling computers loaded with counterfeit versions of Windows software with the Nitol malware embedded.

"What’s especially disturbing is that the counterfeit software embedded with malware could have entered the chain at any point as a computer travels among companies that transport and resell the computer," says Richard Domingues Boscovich, assistant general counsel in Microsoft Digital Crimes Unit.

As many as twenty percent of the PCs researchers bought from an unsecure supply chain were infected with malware, which was capable of spreading through devices such as USB flash drives.

Microsoft discovered that the botnet was being hosted on a domain - 3322.org - that had been linked to malicious activity since 2008. It also contained a staggering 500 different strains of malware hosted on more than 70,000 sub-domains.

"We found malware capable of remotely turning on an infected computer’s microphone and video camera, potentially giving a cybercriminal eyes and ears into a victim’s home or business. Additionally, we found malware that records a person’s every key stroke, allowing cybercriminals to steal a victim’s personal information," says Boscovich.

"The Nitol botnet malware itself carries out distributed denial of service (DDoS) attacks that are able to cripple large networks by overloading them with internet traffic, and creates hidden access points on the victim’s computer to allow even more malware - or anything else for that matter - to be loaded onto an infected computer."

Microsoft took action against the Nitol botnet as part of its Project MARS program, and filed suit in the Virginia District Court. It's now been given an ex parte temporary restraining order against Peng Yong, his company and others.

The order allows Microsoft to host the 3322.org domain, and block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted there.

"Putting Microsoft in control of the 3322 dot org domain isn't going to save the world," comments Paul Ducklin of security firm Sophos.

"But it is going to disrupt the control that the crooks currently enjoy over many already-infected PCs, as well as giving some useful intelligence and insight into the Nitol zombie networks. That will probably be handy for law enforcement operations in the future."