Microsoft downs botnet that infiltrated Chinese PC supply chain

Microsoft has taken down a major botnet that used malware distributed through counterfeit Windows software in computers built in China and sold in stores.

Microsoft pulled the plug on the Nitol botnet after getting permission to do so this week from a federal court in Virginia. Dubbed Operation b70, the takedown was the second for Microsoft in the last six months.

The Nitol botnet was being hosted on a domain owned by a Chinese firm and linked to spreading malware since 2008.

The domain contained a "staggering" 500 strains of malware hosted on more than 70,000 sub-domains, Richard Domingues Boscovich, assistant general counsel for Microsoft, said Thursday in a statement. At times, 40% of all malware programs connected to the domain.

The blog KrebsonSecurity reported that the domain has been associated for a longtime with malware targeted at stealing corporate and government data from U.S. and other Western firms.

Microsoft found malware capable of turning on a computer's microphone and video camera, potentially giving cybercriminals a view of a victim's home or business. Other malware included keyloggers, rootkits, Trojans and software for launching denial of service attacks against Web sites.

[In-depth: The botnet hunters]

Microsoft discovered nearly 4,000 Nitol-infected Windows computers, which were likely a "small subset" of the total number of infected systems, according to federal court papers. Data gathered in the investigation indicated that infected computers were located in Fairfax, Va., near Washington, D.C., as well as other states.

The family of Nitol malware appears to have started in China, which had the largest number of the botnet's command-and-control servers, Microsoft said. Most of the servers are in Beijing, with others in the United States and the Cayman Islands.

Microsoft discovered the botnet after launching about a year ago a study on what the company called "unsecure supply chains." The research focused on how malware-riddled counterfeit software found its way into Chinese PCs between the time they leave the manufacturer for the distribution chain and land on a retailer's store shelves. People at greatest risk are those who buy PCs from little-known resellers.

"The spread of Nitol in this way is not related to any vulnerability in Microsoft's systems, but is instead achieved by misleading people into taking steps that result in the infection of their computers or by misleading people into believing their new computer is free from infections and viruses," court papers said.

Once a computer is turned on, the malware is awaken and immediately tries to contact remote servers run by operators of the botnet. From that moment on, the PC is used in denial of service attacks or to transmit the computer user's personal information, such as user IDs and passwords to websites.

Microsoft estimates that 20% of the PCs its researchers bought from hacker-infiltrated supply chains in China were infected with malware. In addition, Microsoft found that Nitol malware could be spread through a USB flash drive, which is often used to share files between computers.

On Sept. 10, Microsoft received a restraining order from the Virginia federal court against suspected botnet operator Peng Yong, his company Changzhou Bei Te Kang Mu Software Technology, and as many as three John Does, according to court documents. The order allowed Microsoft to take over the domain and block the botnet operation. Security company Nominum assisted Microsoft in the takedown.

In March, Microsoft won court approval for seizing the servers of the Zeus botnet, which cybercriminals used to steal $100 million over five years through bank fraud and identity theft. Other botnets crippled or taken down by Microsoft over the last two years include Waledac, Rustock and Kelihos.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts