Microsoft downs botnet that infiltrated Chinese PC supply chain

Microsoft has taken down a major botnet that used malware distributed through counterfeit Windows software in computers built in China and sold in stores.

Microsoft pulled the plug on the Nitol botnet after getting permission to do so this week from a federal court in Virginia. Dubbed Operation b70, the takedown was the second for Microsoft in the last six months.

The Nitol botnet was being hosted on a domain owned by a Chinese firm and linked to spreading malware since 2008.

The domain 3322.org contained a “staggering” 500 strains of malware hosted on more than 70,000 sub-domains, Richard Domingues Boscovich, assistant general counsel for Microsoft, said Thursday in a statement. At times, 40% of all malware programs connected to the domain.

The blog KrebsonSecurity reported that the 3322.org domain has been associated for a longtime with malware targeted at stealing corporate and government data from U.S. and other Western firms.

Microsoft found malware capable of turning on a computer’s microphone and video camera, potentially giving cybercriminals a view of a victim’s home or business. Other malware included keyloggers, rootkits, Trojans and software for launching denial of service attacks against Web sites.

[In-depth: The botnet hunters]

Microsoft discovered nearly 4,000 Nitol-infected Windows computers, which were likely a “small subset” of the total number of infected systems, according to federal court papers. Data gathered in the investigation indicated that infected computers were located in Fairfax, Va., near Washington, D.C., as well as other states.

The family of Nitol malware appears to have started in China, which had the largest number of the botnet’s command-and-control servers, Microsoft said. Most of the servers are in Beijing, with others in the United States and the Cayman Islands.

Microsoft discovered the botnet after launching about a year ago a study on what the company called “unsecure supply chains.” The research focused on how malware-riddled counterfeit software found its way into Chinese PCs between the time they leave the manufacturer for the distribution chain and land on a retailer’s store shelves. People at greatest risk are those who buy PCs from little-known resellers.

“The spread of Nitol in this way is not related to any vulnerability in Microsoft’s systems, but is instead achieved by misleading people into taking steps that result in the infection of their computers or by misleading people into believing their new computer is free from infections and viruses,” court papers said.

Once a computer is turned on, the malware is awaken and immediately tries to contact remote servers run by operators of the botnet. From that moment on, the PC is used in denial of service attacks or to transmit the computer user’s personal information, such as user IDs and passwords to websites.

Microsoft estimates that 20% of the PCs its researchers bought from hacker-infiltrated supply chains in China were infected with malware. In addition, Microsoft found that Nitol malware could be spread through a USB flash drive, which is often used to share files between computers.

On Sept. 10, Microsoft received a restraining order from the Virginia federal court against suspected botnet operator Peng Yong, his company Changzhou Bei Te Kang Mu Software Technology, and as many as three John Does, according to court documents. The order allowed Microsoft to take over the 3322.org domain and block the botnet operation. Security company Nominum assisted Microsoft in the takedown.

In March, Microsoft won court approval for seizing the servers of the Zeus botnet, which cybercriminals used to steal $100 million over five years through bank fraud and identity theft. Other botnets crippled or taken down by Microsoft over the last two years include Waledac, Rustock and Kelihos.