Microsoft finds Nitol in brand new Chinese PCs and seizes domain to kill it off
Microsoft has discovered that several new computers in China have been carrying the Nitol botnet malware and has called for security in its supply chain to be improved.
The malicious software allows cyber criminals to steal personal information such as bank account details and take control of personal computers. A US court has granted Microsoft permission to seize control of one Chinese domain which has been linked to cybercrime since 2008.
Investigators from a Microsoft group called “operation b70” bought ten desktops and ten laptops from different cities in China and found that four were infected by viruses, which had been installed by some Chinese PC manufacturers. Of particular concern is a botnet virus called Nitol which is used to steal from online bank accounts and carry out distributed denial of service (DDoS) attacks.
Nitol attempted to connect to its command and control system as soon as the PC was switched on and was eventually linked to the 3222.org domain. This domain had 70,000 different sub-domains used by 500 different types of Malware.
Microsoft also found malware that was capable of remotely operating microphones or video cameras as well as keyloggers that track every key entered by a user, revealing sensitive information such as passwords.
An American court has now given Microsoft permission to seize control of the 3322.org domain where the botnet was hosted, and allow it to filter traffic. The domain’s owners have said that they have a “zero tolerance” policy towards illegal malware but with 2.85 million domains, this was difficult to enforce in practice. Last year, a Chinese mobile security firm was accused of bundling viruses with its anti-malware software.
“Earlier this week, the US District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people,” said Richard Domingues Boscovich, assistant general counsel, Microsoft Digital Crimes Unit. “Codenamed ‘Operation b70,’ this legal action and technical disruption proceeded from a Microsoft study which found that cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers.
“In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet, our second botnet disruption in the last six months.”
Microsoft said that the most disturbing fact was that the counterfeit software could have entered the supply chain at any point and warned consumers that if a deal was too good to be true, it probably was.
The company released an update in June to address a certificate issue exploited in the Flame malware attacks and another Microsoft investigation, operation b71, has been trying to take down the Zeus Botnet network.
“Microsoft is fully committed to protecting consumers by combating the distribution of counterfeit software and working closely with governments, law enforcement and other industry members in these efforts,” continued Domingues Boscovich. “Our disruption of the Nitol botnet further demonstrates our resolve to take all necessary steps to protect our customers and discourage criminals from defrauding them into using malware infected counterfeit software.”
Are you a security expert? Find out with our quiz!