Microsoft finds malware in brand new computers in China

Microsoft stumbled upon a series of malware samples, during an action codenamed “Operation b70″ initiated by the company to investigate claims that malware was installed within counterfeited software on computers in China even before systems reached shelves.

The US District Court of Virginia granted Microsoft legitimate control over the domain 3322.org that hosted, among others, the infamous Nitol botnet which proved key to this investigation, helping Microsoft “disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people,” according to the company.

Microsoft digital crime investigators found the malware when they brought in 20 PCs, 10 desktops and 10 laptops from across China. Four of the brand new computers were infected with malware. Deeper analysis revealed how the malicious code had been installed in counterfeited software on the systems.

“In Operation b70, we discovered that retailers were selling computers loaded with counterfeit versions of Windows software embedded with harmful malware. Malware allows criminals to steal a person`s personal information to access and abuse their online services, including e-mail, social networking accounts and online bank accounts.” says the report.

Microsoft details how criminals managed to piggyback on an unsecure supply chain to install viruses on PCs while they were built. “A supply chain between a manufacturer and a consumer becomes unsecure when a distributor or reseller receives or sells products from unknown or unauthorized sources.”

The moment the systems infected with Nitol were turned on, they tried to connect to some C&C centers to fetch commands from bot-masters. The botnet was run from a web domain associated to cybercrime since 2008. The domain had 70,000 sub-domains used by 500 different malware samples used in separate attacks.

The Chinese owner of the 3322.org domain says his company had “zero tolerance” towards such practices and opposes the use “of any of our domain names for malicious purposes.”