Court Gives Microsoft License to Kill Botnet
After discovering that counterfeit versions of Windows containing malware were being installed and sold on new PCs in China, Microsoft tracked down the host of the botnet at its source and asked a US court for permission to try a new tactic. The court approved, giving Microsoft the OK to take over the entire ISP that hosted the botnet.
Sep 14, 2012 10:44 AM PT
Microsoft won court approval to pursue cybercriminals infiltrating its supply chain as part of an ongoing investigation into malware-infected computers.
The company's Digital Crimes Unit bought computers from PC malls in China only to find brand-new laptop and desktop computers infected with preinstalled malware that may have spread to millions of PCs around the world.
Some of the devices contained counterfeit copies of Windows XP or Windows 7 with inactive malware. Another, though, was infected with the Nitol virus, which can open up a device to be used in a botnet attack.
They Are Watching
Further investigation, conducted under the codename "Operating b70," found 500 strains of malware hosted on more than 70,000 sub-domains, according to a company blog post about the study. Microsoft warned the malware could act by turning on a camera to spy on victims or track user key strokes to record personal information.
Microsoft's investigation stemmed from concerns about insecure supply chains. Researchers found that twenty percent of the PCs they purchased from the infiltrated supply chains had malware that could be spread through removable media such as USB flash drives.
While supply chains may have been hit by cybercriminals in the past, it wasn't always as possible to track the attacks that far back, said Michael Murray, managing partner of MAD Security.
"There have been counterfeit versions of Windows for as long as Windows has existed," he told TechNewsWorld. "And those counterfeit versions have often included some form of malware. It's only now that malware is controlled in a centralized fashion that this type of operation can exist. In prior times, when the supply chain was infiltrated by malicious software, it would spread organically, without any way of tracking the infections back to the source."
Microsoft did not respond to our request for further detail on the story.
Taking Matters Into Their Own Hands
The company discovered the virus was hosted on 3322.org, a domain that had been linked to malicious activity since 2008. To go after the cybercriminals, Microsoft's legal team filed a civil complaint against the owner of the domain, Peng Yong, and his company, Changzhou Bei Te Kang Mu Software Technology, or Bitcomm.
The U.S. District Court in Virginia awarded Microsoft the right to take over the domain, thus blocking the spread of the Nitol botnet and an additional 70,000 malicious subdomains, and allowed the legitimate subdomains to continue business without disruption.
The company said the threat of cyber attacks was a real one and it would continue to combat the spread of malware whatever way it could. That attitude, and the court's thumbs up giving Microsoft permission to take control of 3222.org, is an indication that law enforcement officials are recognizing the growing threat of cybercrime, said Murray.
"While it is encouraging that the response is taken somewhat seriously by the legal system, Microsoft didn't take control of a single domain -- they took control of a dynamic DNS system that hosts a huge number of legitimate customers," he said.
A comprehensive cybersecurity bill was recently debated in Congress as well, and although it didn't pass, it brought the debate of the court's involvement in fighting cyber attacks, said David Segal, executive director of Demand Progress.
"There's a newly empowered base of Internet activists across the United States, and alongside us stands a newly-strengthened corps of pro-privacy senators," he told TechNewsWorld.
Other Side of the Coin
But that could have significant consequences for the way the courts work with tech companies to battle cybercriminals, said Murray, noting that it would look different if the situation were reversed.
"Imagine the hypothetical that an American ISP became infected and an overseas software vendor got a court order in their country to shut down the domain name for that ISP, leaving all of the customers stranded. It wouldn't be looked at nearly as favorably by the security community."
Aside from the consequences, though, it's a growing reminder that consumers can't be too careful when purchasing electronics. In addition to fighting the spread of the malware, Microsoft offers a support site with tools for analyzing and cleaning infected devices. For customers looking to purchase a new Microsoft computer, Murray has advice.
"Buy legitimate software from legitimate hardware vendors and ensure that they run the appropriate end-point protections," he said.