Microsoft Finds Computers In China Pre-Installed With Malware

After a year-long investigation, Microsoft concluded on Thursday that a number of computers produced in a Chinese factory were infected with the “Nitol” malware, which installs a keylogger on the system and even allows for remote access to a computer’s on-board microphone and video camera, all without the user knowing.

Microsoft says that it first heard claims in August of last year that some computers were being sent to retail in China with malware installed after leaving the factory. Microsoft kicked off an investigation, dubbed “Operation b70”, and tasked employees with buying ten computers and ten laptops to see if any of them had malware. Sure enough, Microsoft discovered that four of them did.

“We found malware capable of remotely turning on an infected computer’s microphone and video camera, potentially giving a cybercriminal eyes and ears into a victim’s home or business,” Richard Domingues Boscovich, assistant general counsel of Microsoft’s digital crimes unit, said in a blog post. “Additionally, we found malware that records a person’s every key stroke, allowing cybercriminals to steal a victim’s personal information.”

Most of the malware was not active, Microsoft found, but the “Nitol” virus was. The virus turns the infected PC into a zombie, secretly connecting it to a command-and-control server where it can then be used to carry out Distributed Denial of Service (DDoS) attacks.

“The Nitol botnet malware itself carries out distributed denial of service (DDoS) attacks that are able to cripple large networks by overloading them with Internet traffic, and creates hidden access points on the victim’s computer to allow even more malware,” Boscovich explained.

After making the discovery, Microsoft was able to get permission from a United States court to directly go after the botnet, which was being hosted on the Chinese-hosted website 3322.org, and take it down.

“This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322.org domain, and will help rescue people’s computers from the control of this malware,” Boscovich added.

Correction: This article originally stated that the malware was installed at the OEM location, the malware was actually installed somewhere between leaving the manufacturing location and reaching customers.