Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday.
The malware, embedded in counterfeit versions of Microsoft's Windows OS, is engineered to spy on users and conduct denial-of-service attacks, Microsoft said. It warned that the findings pose fresh questions over the integrity of computer-part supply chains.
[ InfoWorld's expert contributors show you how to secure your Web browsers in the "Web Browser Security Deep Dive" PDF guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security Adviser blog and Security Central newsletter. ]
Cybercriminals "are out to get you," said Richard Domingues Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit. "They will do whatever it takes. If the supply chain is how they're going on get on [computers], that's what they're going to do."
Microsoft's investigation, dubbed "Operation b70," culminated with the shutdown of the command-and-control system connected to computers infected with "Nitol," a piece of malicious software called a rootkit preinstalled on some of the examined computers. Nitol quickly spreads via removable drives.
The company had led an aggressive drive against counterfeit software and botnets to try to stop the source of cybercriminal activity, much of which is targeted at Windows users due to the high use worldwide of the company's operating system.
Company investigators had Chinese nationals purchase 20 laptop and desktop computers from so-called "PC malls" in various Chinese cities. All of the machines had counterfeit copies of Windows XP or Windows 7, Boscovich said. Three computers contained inactive malware, but a fourth had a live piece of malware, "Nitol.A," that awoke when the computer connected to the Internet, he said.
The laptop was manufactured by Hedy, a large manufacturer based in Guangzhou, China, and purchased in Shenzhen. The other three computers with inactive malware were from "major manufacturers" but Microsoft is not identifying the brands, Boscovich said.
It is believed that the computers became infected after the devices left the factory. In China, many computers ship with just DOS, and an operating system is installed later. "Somewhere in that retail or wholesale supply chain, something happens," Boscovich said.
Consumers in Western countries may not be vulnerable to the kind of tampering, but they do face risks if they download counterfeit software from the internet, Boscovich said.
The malware discovery led to a larger investigation into the Nitol botnet, which was controlled through the domain "3322.org." The domain has been linked to malicious activity as far back as 2008, Boscovich said.
The 3322.org domain contained more than 500 strains of malware hosted on some 70,000 subdomains, Boscovich said. The malware hosted is capable of a range of malicious functions, from turning on a computer's microphone and video camera to logging keystrokes, according to a Microsoft blog post.