While recently investigating counterfeit versions of the Windows operating system, Microsoft uncovered a security threat involving pre-loaded malware. The counterfeit operating systems and malware were found on brand-new computers manufactured and sold in China.
The discovery further lead to a server hosting 500 different pieces of malware including Nitol. Some of the malicious code found are capable of keystroke logging, denial-of-service attacks, rootkits, backdoors and more.
Nitol is a program that creates a "bot" on a user's computer which connects to a network center or a "botnet." There, hackers can subvert the infected computer to do their biding by issuing commands remotely. Nitol is capable of launching DDoS attacks against targets, or opening backdoors for additional malware infections or activity monitoring by turning on a microphone or video camera on a computer.
The botnet was traced to a domain host, 3322.org. The court has granted Microsoft a temporary restraining order against Bei Te Kang Mu Software Technology, its owner Peng Yong and three others allowing Microsoft to block the operation of Nitol botnet. Microsoft was also granted an injunction making it the authoritative name server for 3322.org.
"This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322.org domain, and will help rescue people's computers from the control of this malware," a Microsoft spokesman reported.
According to Microsoft, eighty-five percent of Nitol infections have been detected in China; close to 10 percent in the U.S.; 80 percent of command and control servers were also located in China, 15 percent in the U.S. Microsoft was unable to determine where in the supply chain the malware was loaded onto the infected computers; the goal of the initial investigation was to uncover usage of counterfeit Windows software.