Microsoft taking on aggressive new Nitol botnet
»Play Video
WASHINGTON (AP) - A customer in Shenzhen, China, took a new laptop out of its box and booted it up for the first time. But as the screen lit up, the computer began taking on a life of its own. The machine, triggered by a virus hidden in its hard drive, began searching across the Internet for another computer.
The laptop, supposedly in pristine, super-fast, direct-from-the-factory condition, had instantly become part of an illegal, global network capable of attacking websites, looting bank accounts and stealing personal data.
For years, online investigators have warned consumers about the dangers of opening or downloading emailed files from unknown or suspicious sources. Now, they say malicious software and computer code could be lurking on computers before the bubble wrap even comes off.
The shopper in this case was part of a team of Microsoft researchers in China investigating the sale of counterfeit software. They received a sudden introduction to malware called Nitol. The incident was revealed in court documents unsealed Thursday in a federal court in Virginia. The records describe a new front in a legal campaign against cybercrime being waged by the maker of the Windows operating system, which is the biggest target for viruses.
The documents are part of a computer fraud lawsuit filed by Microsoft against a web domain registered to a Chinese businessman named Peng Yong. The company says the domain is a major hub for illicit Internet activity, home base for Nitol and more than 500 other types of malware, which makes it the largest single repository of infected software that Microsoft officials have encountered.
Peng, the owner of an Internet services firm, said he was not aware of the Microsoft suit. He denied the allegations and said his company does not tolerate improper conduct on the domain, 3322.org. Three other unidentified individuals accused by Microsoft of establishing and operating the Nitol network are also named in the suit.
What emerges most vividly from the court records and interviews with Microsoft officials is a disturbing picture of how vulnerable Internet users have become, in part because of weaknesses in computer supply chains. To increase their profit margins, less reputable computer manufacturers and retailers may use counterfeit copies of popular software products to build machines more cheaply. Plugging the holes is nearly impossible, especially in less regulated markets such as China, and that leaves openings for cybercriminals.
"They're really changing the ways they try to attack you," said Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft's digital crimes unit.
Distance doesn't equal safety. Nitol, for example, is an aggressive virus found on computers in China, the United States, Russia, Australia and Germany. Microsoft has even identified servers in the Cayman Islands controlling Nitol-infected machines. All these compromised computers become part of a botnet, or collection of compromised computers; it's one of the most invasive and persistent forms of cybercrime.
Nitol appears poised to strike. Infection rates have peaked, according to Patrick Stratton, a senior manager in Microsoft's digital crimes unit who filed a document in the court case explaining Nitol and its connection to the 3322.org domain.
For Microsoft, pursuing cybercriminals is a smart business. Its Windows operating system runs most of the computers connected to the Internet. Victims of malware are likely to believe their problems stem from Windows instead of a virus they are unaware of, and that damages the company's brand and reputation.
But more than Microsoft's image is stake when counterfeit products are tainted by malware that spreads so rapidly, Boscovich said. "It's more than simply a traditional intellectual property issue," Boscovich said. "It's now become a security issue."
The investigation by Microsoft's digital crimes unit began in August 2011 as a study into the sale and distribution of counterfeit versions of Windows. Microsoft employees in China bought 20 new computers from retailers and took them back to a home with an Internet connection.
They found forged versions of Windows on all the machines and malware already installed on four. The one with Nitol, however, was the most alarming because the malware was active.
"As soon as we powered on this particular computer, of its own accord without any instruction from us, it began reaching out across the Internet, attempting to contact a computer unfamiliar to us," Stratton said in the document filed with the court.
The laptop was made by Hedy, a computer manufacturer in Guangzhou, China, according to the court records. The company, reached by phone, declined to answer questions.
Stratton and his colleagues also found Nitol to be highly contagious. They inserted a thumb drive into the computer and the virus immediately copied itself onto it. When the drive was inserted into a separate machine, Nitol quickly copied itself on to it.
Microsoft examined thousands of samples of Nitol, which has several variants, and all of them connected to command-and-control servers associated with the 3322.org domain, according to the court records.
"In short, 3322.org is a major hub of illegal Internet activity, used by criminals every minute of every day to pump malware and instructions to the computers of innocent people worldwide," Microsoft said in its lawsuit.
Peng, the registered owner of 3322.org, said he has "zero tolerance" for the misuse of domain names and works with Chinese law enforcement whenever there are complaints. Still, he said, his huge customer base makes policing difficult.
"Our policy unequivocally opposes the use of any of our domain names for malicious purposes," Peng said in a private chat via Sina Weibo, a service like Twitter that's very popular in China. "We currently have 2.85 million domain names and cannot exclude that individual users might be using domain names for malicious purposes."
Peng is the founder and chief executive of Bitcomm, a company he and his wife own. They founded an earlier company, which started 3322.org in 2001. Bitcomm took over the domain in 2007.
Past warnings by other online security firms have been ignored by Peng, according to Boscovich. 3322.org accounted for more than 17 percent of the world's malicious web transactions in 2009, according to Zscaler, a computer security firm in San Jose, Calif. In 2008, Russian security company Kaspersky Lab reported that 40 percent of all malware programs, at one point or another, connected to 3322.org.
U.S. District Judge Gerald Bruce Lee, who is presiding in the case, granted a request from Microsoft to begin steering Internet traffic from 3322.org that has been infected by Nitol and other malwares to a special site called a sinkhole. From there, Microsoft can alert affected computer users to update their anti-virus protection and remove Nitol from their machines.
Since Lee issued the order, more than 37 million malware connections have been blocked from 3322.org, according to Microsoft.
The laptop, supposedly in pristine, super-fast, direct-from-the-factory condition, had instantly become part of an illegal, global network capable of attacking websites, looting bank accounts and stealing personal data.
For years, online investigators have warned consumers about the dangers of opening or downloading emailed files from unknown or suspicious sources. Now, they say malicious software and computer code could be lurking on computers before the bubble wrap even comes off.
The shopper in this case was part of a team of Microsoft researchers in China investigating the sale of counterfeit software. They received a sudden introduction to malware called Nitol. The incident was revealed in court documents unsealed Thursday in a federal court in Virginia. The records describe a new front in a legal campaign against cybercrime being waged by the maker of the Windows operating system, which is the biggest target for viruses.
The documents are part of a computer fraud lawsuit filed by Microsoft against a web domain registered to a Chinese businessman named Peng Yong. The company says the domain is a major hub for illicit Internet activity, home base for Nitol and more than 500 other types of malware, which makes it the largest single repository of infected software that Microsoft officials have encountered.
Peng, the owner of an Internet services firm, said he was not aware of the Microsoft suit. He denied the allegations and said his company does not tolerate improper conduct on the domain, 3322.org. Three other unidentified individuals accused by Microsoft of establishing and operating the Nitol network are also named in the suit.
What emerges most vividly from the court records and interviews with Microsoft officials is a disturbing picture of how vulnerable Internet users have become, in part because of weaknesses in computer supply chains. To increase their profit margins, less reputable computer manufacturers and retailers may use counterfeit copies of popular software products to build machines more cheaply. Plugging the holes is nearly impossible, especially in less regulated markets such as China, and that leaves openings for cybercriminals.
"They're really changing the ways they try to attack you," said Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft's digital crimes unit.
Distance doesn't equal safety. Nitol, for example, is an aggressive virus found on computers in China, the United States, Russia, Australia and Germany. Microsoft has even identified servers in the Cayman Islands controlling Nitol-infected machines. All these compromised computers become part of a botnet, or collection of compromised computers; it's one of the most invasive and persistent forms of cybercrime.
Nitol appears poised to strike. Infection rates have peaked, according to Patrick Stratton, a senior manager in Microsoft's digital crimes unit who filed a document in the court case explaining Nitol and its connection to the 3322.org domain.
For Microsoft, pursuing cybercriminals is a smart business. Its Windows operating system runs most of the computers connected to the Internet. Victims of malware are likely to believe their problems stem from Windows instead of a virus they are unaware of, and that damages the company's brand and reputation.
But more than Microsoft's image is stake when counterfeit products are tainted by malware that spreads so rapidly, Boscovich said. "It's more than simply a traditional intellectual property issue," Boscovich said. "It's now become a security issue."
The investigation by Microsoft's digital crimes unit began in August 2011 as a study into the sale and distribution of counterfeit versions of Windows. Microsoft employees in China bought 20 new computers from retailers and took them back to a home with an Internet connection.
They found forged versions of Windows on all the machines and malware already installed on four. The one with Nitol, however, was the most alarming because the malware was active.
"As soon as we powered on this particular computer, of its own accord without any instruction from us, it began reaching out across the Internet, attempting to contact a computer unfamiliar to us," Stratton said in the document filed with the court.
The laptop was made by Hedy, a computer manufacturer in Guangzhou, China, according to the court records. The company, reached by phone, declined to answer questions.
Stratton and his colleagues also found Nitol to be highly contagious. They inserted a thumb drive into the computer and the virus immediately copied itself onto it. When the drive was inserted into a separate machine, Nitol quickly copied itself on to it.
Microsoft examined thousands of samples of Nitol, which has several variants, and all of them connected to command-and-control servers associated with the 3322.org domain, according to the court records.
"In short, 3322.org is a major hub of illegal Internet activity, used by criminals every minute of every day to pump malware and instructions to the computers of innocent people worldwide," Microsoft said in its lawsuit.
Peng, the registered owner of 3322.org, said he has "zero tolerance" for the misuse of domain names and works with Chinese law enforcement whenever there are complaints. Still, he said, his huge customer base makes policing difficult.
"Our policy unequivocally opposes the use of any of our domain names for malicious purposes," Peng said in a private chat via Sina Weibo, a service like Twitter that's very popular in China. "We currently have 2.85 million domain names and cannot exclude that individual users might be using domain names for malicious purposes."
Peng is the founder and chief executive of Bitcomm, a company he and his wife own. They founded an earlier company, which started 3322.org in 2001. Bitcomm took over the domain in 2007.
Past warnings by other online security firms have been ignored by Peng, according to Boscovich. 3322.org accounted for more than 17 percent of the world's malicious web transactions in 2009, according to Zscaler, a computer security firm in San Jose, Calif. In 2008, Russian security company Kaspersky Lab reported that 40 percent of all malware programs, at one point or another, connected to 3322.org.
U.S. District Judge Gerald Bruce Lee, who is presiding in the case, granted a request from Microsoft to begin steering Internet traffic from 3322.org that has been infected by Nitol and other malwares to a special site called a sinkhole. From there, Microsoft can alert affected computer users to update their anti-virus protection and remove Nitol from their machines.
Since Lee issued the order, more than 37 million malware connections have been blocked from 3322.org, according to Microsoft.
SOME OF US have been complaining of alien crap in OEM installs for years, but most of us are Linux users, so we get ignored. So ignore us if your false pride mandates that, but don't act like no one ever said anything before. We've been tracking altered chips, companies, and sometimes even people for years now. And don't trip. We give the downlo away free, just like the rest of it.
Is there anything left the Chinese haven't stole, copied, corrupted, reverse engineered on this planet?
@Larry*X*K The Chinese make a really high amount of products for the world, including some of the latest technology. They have plenty of "samples" on hand to reverse engineer so none of this comes as a surprise. Maybe we wouldn't have any of these problems if Iran stepped up their manufacturing and companies use their services instead... :P
 @Larry*X*K Asians, stealing western technology?
Â
Say it isn't so!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 @Howard Beale  @Larry*X*KÂ
Why the hell would you group all Asians into this? It's like saying Europeans committed Holocaust.
This article is very interesting. One most consumers should read.
Peng Yong might want to reconsider his "I'm just a hapless victim too" stance now that Bruce Lee is on the case.
On the bright side, having a large percentage of the world's malware originating all from the same place probably makes it easier to deal with from a security perspective. Â They already know where to look!
Â
And before anybody says, "See how bad Windows OS is, they are full of security issues, Apple and Linux don't have security problems." Â Remember that Windows OS counts for more than 90% of all computers world-wide. Â If you were a malicious software developer, which OS would you target? Â Â
 @Landshark Actually, Apple has been hit with malware and the general recommendation now is you should be running virus protection on OSX products. What the bad guys are doing is creating a sniffer before delivering a payload, looking for Linux/Android, OSX or WinOS. Then based on the OS delivers a specific payload of malware custom made for that OS. It's a big problem.
@Landshark And as it increasingly matters less what kind of OS or device you use to get online, so too will those differences diminish in their ability to exclude you from exploits.
 @nodozr  @LandsharkÂ
That's a good point. Â I may be mistaken, but I believe the most widely used PHONE OS is Android, which is ironically linux based. Â If we were to assume the same conclusion (I hate to assume things, but...) it would seem that Android phones might end up the target phone/mobile OS for malicious software in the near future. Â
Â
Maybe the android mobile OS is already a target? I honestly don't know. Personally I use a Windows Phone device and haven't experienced any malware of anykind (not saying it doesn't exist, but if it does it's not widely experienced on the Windows 7 OS, and considering the Windows Phone OS has I believe less than 3% of the mobile OS market, then it would be easy to believe that not much, if any, malware exists for it).
Â
Â
Â
Â
@Landshark I have heard of malware aimed at Android and jailbreaked (jailbroken?) iPhones. They even managed to sneak a nefarious app into iTunes for a while.
But malware is following everyone else right into the cloud and directly targeting social networking sites and online services. These things are platforms unto themselves and are increasingly complex and interconnected--in other words, they're great playgrounds for hackers.
 @Landshark Absolutely. And now that Apple is is gaining market share, I'm sure they're working on that as well. It's the evil element of mankind... it's everywhere including high tech.