Microsoft Finds Malware Preloaded on New Computers
When Microsoft's cybercrime researchers went searching for counterfeit versions of their Windows software in China, they stumbled across an entirely different form of illegal activity: malware installed on computers before they were even out of the box.
In court filings released yesterday (Sept. 13), Microsoft said a company called Hedy made the infected computer, and sued the Chinese businessman thought to be behind the company.
When Nitol infects a machine, that computer becomes one of many controlled by a remote server in what's known as a botnet. Botnets use their strength in numbers to attack websites, steal information and commit thievery without the owner ever becoming the wiser.
In the court records, Microsoft described the practice of using pirated software, common among lower-tier computer manufacturers in China, as a perfect opportunity for cybercriminals to infect new machines.
The counterfeit programs cut manufacturers' costs, but often come preloaded with viruses or Trojans. Customers don't stand a chance.
The U.S. district court for the Eastern District of Virginia gave Microsoft the right to temporarily take control of the botnet's domain, 3322.org, a Chinese DDNS provider that Microsoft calls the single-largest home to malicious software on the Web.
Microsoft said it found "a staggering 500 different strains of malware hosted on more than 70,000 subdomains" on the site, from which attacks have been launched in the past.
Microsoft said most interactions between the United States and 3322.org are malicious.
This isn't the first time Microsoft has gone after cybercriminals. In an effort to protect its own brand's reputation, the Redmond, Wash., software developer has targeted major botnets called Waledac, Kelihos, ZeuS and Rustock, security journalist Brian Krebs wrote.
Despite Microsoft's efforts, taking out one domain at a time may be like playing Whack-a-mole. Gunter Ollman, security company Damballa's vice president of research, said it's very possible that the malware will take instructions from another DDNS provider that hasn't been disrupted.