Johannesburg, 17 Sep 2012
Microsoft has conducted another campaign against a botnet, but that success is tempered by concern over the source of the malware - the PC supply chain itself.
A year ago, researchers from Microsoft's Digital Crimes Unit (DCU) bought 20 PCs from retailers in China, and found that four of them were infected with malware. One of them included the bot component of the Nitol botnet. The DCU's investigations identified command and control servers behind the botnet, and earlier this month, the company, armed with a court order, seized control of Chinese DNS service 3320.org in order to disrupt the botnet's operations.
This is another success story for the Microsoft security team, which targeted the Grum and Zeus botnets earlier this year. Nitol is designed to spread aggressively via removable media such as USB flash disks, and provides the botnet controllers will complete control over the infected machine.
Infection from within the supply chain is always a worrying development. Suborned staff members at device manufacturers are able to install software without fear of anti-virus alerts, and can even add exceptions to the rule set of default AV software.
Numerous similar incidents have been reported in the past, often involving component suppliers:
In 2006, McDonald's Japan had to recall promotional MP3 players after finding them to be infected with Trojan software.
In 2007, TomTom discovered it had been shipping navigation devices with viruses installed.
In 2008, HP discovered that USB flash disks issues for its ProLiant servers were infected with malware.
In 2008, driver disks included with Samsung picture frames were found to carry the Sality worm.
In 2010, Vodafone found it was selling HTC mobile phones infected with the Mariposa botnet agent and other malware.
In 2010, Olympus found that SD cards installed in some of its cameras were infected with a virus.
In 2010, Samsung reported it had found malware on the SD cards shipping in some models of smartphone.
In 2011, an Australian retailer recalled external drives after finding the Conficker worm preloaded on them.
In 2011, Cisco found that it was shipping warranty discs with autorun software which directed clients to infected Web sites.
Share