For years I have heard talk in the industry that much of the counterfeit software available on the Internet was preloaded with malware. How much of the counterfeit software available is preloaded with malware? What type of malware is preloaded on these systems and what does it allow the attackers to do?
Today, Microsoft’s Digital Crime Unit (DCU) made an announcement that allows us to get a glimpse into the answers to these questions. DCU conducted a study to get a sense of how much of the counterfeit software available is preloaded with malware. Microsoft researchers purchased 20 new computers from PC malls. These systems had counterfeit software preinstalled on them by the distributor. DCU examined the files on these PCs and found malware on four of the 20 computers that were purchased, a 20 percent infection rate.
Several types of malware were pre-installed on the computers purchased from the PC mall. This malware enabled the attackers to perform a range of actions including DDoS attacks, creating hidden access points onto the systems, keylogging and data theft.
The researchers also identified one type of malware found on these systems attempting to connect to the command and control servers of a known botnet. The ensuing study uncovered that attackers were building this botnet by infecting digital products, like computers or software, that were then distributed through an unsecure supply channel. The malware was also designed to spread via flash drive memory sticks. The subdomains that hosted the botnet’s command and control servers link to more than 500 different types of malware. Some of this malware is capable of turning on cameras and microphones connected to infected systems.
DCU took legal action to disrupt the malware hosted in the subdomains, in Operation b70. You can read more about Operation b70 and the DCU’s efforts here: http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx