Microsoft battles botnet pre-installed on systems

Imagine turning on a brand new, fresh-from-the-factory laptop and already having a virus on it before you even do anything. That’s the scary situation Microsoft uncovered on several PCs in China, and now the tech giant is fighting the botnet responsible for the infections in court.

Microsoft digital crime investigators in China discovered the Nitol virus when looking into the sale of counterfeit software. The virus was preinstalled on 20 percent of the laptops and desktops tested, Microsoft states on its blog. Somewhere between the assembly line and the retail purchase, cybercriminals were able to introduce the malware.

The majority—85 percent—of Nitol infections have been detected in China, but nearly 10 percent have also been found in the U.S., Microsoft reveals.

Nitol-infected PCs immediately and automatically search the Internet for other computers to connect to and attack.

Microsoft’s further investigation unearthed more than 500 other types of malware being hosted by this illegal network. The malware found was capable of keystroke logging, remotely turning on the video camera and microphone, launching denial of service attacks, and more.

The Microsoft Digital Crime Unit has been investigating the malware since last August. This week, a U.S. District court granted Microsoft permission to take over the 3322.org domain and its 70,000 sub-domains, which the company says is the source of the infection and a major hub of illegal activity. Microsoft has filed a lawsuit against server owner Peng Yong.

Combating botnets by shutting down the domain providers is a strategy Microsoft has had great success with in the past. This is the second botnet disruption for the software giant in the last six months.

It’s also the largest single repository of infected software the company has found to date. More than 37 million malware connections have been blocked from 3322.org since Microsoft won the court order.

Follow Melanie Pinola (@melaniepinola) and Today@PCWorld on Twitter

Subscribe to the Security Watch Newsletter

Comments