A new battleground for today’s cyber warfare can be found in production lines of PCs. According to Microsoft, brand new computers fresh from factories in China have been found to be infected with malware installed by cybercriminals in the factory.
After getting approval from the United States government to tackle the issue, Microsoft conducted a study by buying computers from China. A virus called Nitol was discovered in some computers. The malware can, reportedly, steal information like personal details and bank accounts information.
In a detailed report, Microsoft revealed how the said program get into affected machines while still in the factory. Cybercriminals are said to target unsecured supply chains in installing their software.
The viruses were identified after Microsoft bought 10 laptops, 10 desktops, and 20 PCs across China. Four of the machines were found to be infected even while still at factory state.
Microsoft’s report labeled Operation b70 found that the discovered viruses were installed after counterfeit software from China were run on brand new computers by Chinese PC makers.
It was discovered that Nitol was immediately activated as soon as the new computers were turned on. The virus tried to contact its command and control system right after the machine was able to establish internet connection.
The Microsoft study also found out that the botnet controlling Nitol originates from the same web domain involved in cybercrime in 2008. The said domain has 70,000 sub-domains being used by over 500 versions of malware designed to harvest data or fool victims.
Nitol is capable of turning on an affected machine’s video camera and microphone, making it a virtual eyes and ears for Nitol makers.
The web domain involved, 3322.org, is owned by a Chinese national named Peng Yong. He denied any wrongdoings and declared that his company does not tolerate illegal activity on its domain. The U.S. court has given a green light to Microsoft to seize control of the offending domain. The move could allow it filter and monitor traffic as well as block stolen data from leaking out.
The domain owner admitted that the sheer number of domain names, about 2.85 million, is difficult to monitor.
The study shows how vulnerable Internet users have become, partly caused by weaknesses in the supply chain. To increase profit, less reputable computer makers decide to use counterfeit software loaded with malware to build hardware cheaply. In a non-regulated market as China, plugging the security holes can be almost impossible.
Nitol is found in computers in Russia, China, Germany, Australia, and United States. The malware’s command and control are all over, with one being run in the Cayman Islands.
Microsoft is at the forefront of this virus hunt as most of the operating systems around the world run Windows. Most of the time, users of Windows think that problems come from Windows instead of a virus installed by hardware makers, which does not really help secure Microsoft’s name and reputation at all.
Update: below is a clarification from the Microsoft team:
…rather than the malware being pre-installed onto computers at the factories, this malware is loaded onto the computers before it reaches a customer or end purchaser. This means that the malware is loaded after the product is shipped by the original equipment manufacturers to a distributor, transporter, or reseller.