Simply Security - News, Views, and Opinions from Trend Micro

Posted on September 17th, 2012 in Cybercrime by Simply Security | Be the first to comment | Tags: cybercrime

A supply chain security flaw that allowed cybercriminals to infect new PCs with malware has been disrupted by Microsoft security researchers.

A supply chain security flaw that allowed cybercriminals to infect new PCs with malware has been disrupted by Microsoft security researchers.

The malware, a botnet called Nitol, was embedded in counterfeit versions of Windows being shipped on new computers. In a company study exploring the security of their suppliers, Microsoft researchers found malware in 20 percent of the computers bought from an unsecure supply chain. Company spokesman Richard Boscovich noted the particularly troubling fact that the software could have entered the chain at any point, given the number of channels a computer travels through prior to production.

Microsoft affirmed its commitment to protecting consumers from counterfeit software, and it called on suppliers, resellers, distributors and retailers to do the same by enforcing stringent security policies. The action was part of the company’s customer and cloud service protection program, Project MARS (Microsoft Active Response for Security).

The Nitol botnet is designed to carry out distributed denial of service (DDoS) attacks and creates access points on an infected computer that enables additional malware to be loaded without detection.

Following the Nitol chain, Microsoft found the malware was being hosted on a domain with more than 500 different strains of malware spread across 70,000 sub-domains. Other malware on the site included code that could remotely turn on an infected computer’s microphone and video camera, allowing a criminal to spy on users, as well as keylogging malware that could harvest personal information.

The threatening domain, 3322.org, was transferred to Microsoft by a United States court order, allowing the company to block the Nitol botnet and other malicious subdomains, while still allowing the site’s legitimate subdomains to operate normally.

The domain’s owner, Peng Yong, told the Associated Press that he was unaware of Microsoft’s action and claimed innocence, citing the difficulty of fully monitoring the 2.85 million domain names his company manages.

Noting that this is the second botnet the company has disrupted in the last six months, Microsoft cautioned against the risks created by an unsecure supply chain, where distributors or resellers contract with unknown or unauthorized sources, creating an endpoint security risk.

“Cybercriminals have made it clear that anyone with a computer could become an unwitting mule for malware; today’s action is a step toward preventing that,” Boscovich wrote.

Security News from SimplySecurity.com by Trend Micro