Microsoft struck another blow against spammers last week in an operation code-named b70. The US District Court for the Eastern District of Virginia granted Microsoft an ex parte temporary restraining order against Peng Yong and other John Does following a month’s long research project into the propagation of malware into the supply chain of PCs.
Microsoft performed a close study of PC supply chains, and found that in many instances, counterfeit versions of operating systems and software, introduced onto PCs at points between the manufacture of the hardware, and the purchase at retail came complete with various malware preinstalled and ready to exploit the consumer. Malware includes keyloggers, remote access Trojans, and software that could be used to remotely access webcams and microphones. In many cases this same software could propagate automatically through USB keys, email, and more.
Many of the infected systems participated in botnets used to send spam, as well as launch distributed denial of service attacks against others. The court order allowed Microsoft to disrupt the operations of the Nitol botnet, and to take control of the 3322.org domain, taking over DNS operations for that domain and over 70,000 subdomains, hosting over 500 different strains of malware.
According to a blog post authored by Richard Boscovich, Assistant General Counsel for Microsoft’s Digital Crimes Unit, the Microsoft study found that as many as 20% of PCs purchased from supply chains using counterfeit software were infected with malware.
Nominum, a DNS solutions and security company, was instrumental in assisting Microsoft with both the research and in the legal filings, serving as a declarant in the case. You can read more about this on Microsoft’s DCU blog at http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx, and the legal filings at http://noticeofpleadings.com/.