Microsoft closes botnet preloaded on retail PCs
Microsoft has issued a warning over the security risks of insecure supply chains, after taking down a botnet and blocking malware on machines loaded with counterfeit software.
According to the company, its Digital Crimes Unit (DCU) was granted permission from the US District Court for the Eastern District of Virginia to take action against a botnet involving 500 strains of malware, following an investigation that found machines were being sold containing damaging software.
“We discovered that retailers were selling computers loaded with counterfeit versions of Windows software embedded with harmful malware,” said Richard Domingues Boscovich, a lawyer with Microsoft’s DCU in a company blog. “What’s especially disturbing is that the counterfeit software embedded with malware could have entered the chain at any point as a computer travels among companies that transport and resell the computer.
“Sometimes people just can’t tell, making the exploitation of a broken supply chain an especially dangerous vehicle for infecting people with malware.”
20% of the PCs researchers bought from an unsecure supply chain were infected with malware
The company said the malware found during an operation looking into supply chain security led to the disruption of a growing botnet, dubbed Nitol, which was hosted on sites linked to malware since 2008.
Nitol itself was designed as a denial-of-service launch platform, but the domain associated with the malware also had a range of malware that could leave end users out of pocket and vulnerable to privacy breaches.
“Cybercriminals preload malware infected counterfeit software onto computers that are offered for sale to innocent people,” Microsoft said.
“In fact, 20% of the PCs researchers bought from an unsecure supply chain were infected with malware. Making matters worse, the malware was capable of spreading like an infectious disease through devices like USB flash drives.”
Range of malware
The company called on companies throughout the supply chain to source from trusted companies, and mirrors concerns related by the components industry.
Among the malware found during the study, Microsoft said there were tools for remotely activating system microphones and webcams and keystoke loggers.
“Our research into Nitol uncovered that the botnet was being hosted on a domain linked to malicious activity since 2008,” Microsoft said. “3322.org contained a staggering 500 different strains of malware hosted on more than 70,000 sub-domains.”
The court action meant Microsoft was able to take action by taking over hosting the 3322.org domain to block its operation and almost 70,000 other malicious subdomains, while traffic for legitimate subdomains continued to operate without disruption.