Brand new computers sold in China contain malware that is being used to spy on users and connect with other computers to attack websites, an investigation by Microsoft has found.


Malicious software (malware) is nothing new, but it is usually downloaded to computers from websites visited by the user. A Microsoft investigation has found the harmful software is being installed onto computers before they even go on sale.

Embedded in counterfeit versions of the Windows operating system, the malware is engineered to monitor users' activities - such as tracing keystrokes and browsing history - and link up with other computers to conduct denial-of-service (DDoS) attacks on websites, forcing them offline by bombarding them with hits.

Called 'Nitol', the piece of malicious software was found pre-installed on a number of computers as part of Microsoft's investigation, dubbed Operation b70, and can spread quickly through USB drives.

This week, Microsoft has been given control over the domain by a court in Virginia, USA, meaning the company is able to disrupt more than 500 different strains of malware, which had the potential for targeting "millions of innocent people."

Microsoft's research into Nitol uncovered that the botnet was being hosted on a domain linked to malicious activity since 2008. The study also revealed that in addition to hosting b70, contained 500 different strains of malware hosted on more than 70,000 sub-domains.

Like an infectious disease

"We found malware capable of remotely turning on an infected computer's microphone and video camera, potentially giving a cybercriminal eyes and ears into a victim's home or business," Microsoft said.

The company continued: "Twenty percent of the PCs researchers bought from an unsecure supply chain were infected with malware. Making matters worse, the malware was capable of spreading like an infectious disease through devices like USB flash drives, potentially causing the victim's family, friends and co-workers to become infected with malware when simply sharing computer files.

The computer giant warned that its findings raise questions over the integrity of computer part supply chains.

Richard Domingues Boscovich of Microsoft's Digital Crimes Unit, which carried out the investigation, said that the criminals are "out to get you," adding: "They will do whatever it takes. If the supply chain is how they're going to get on [computers], that's what they're going to do."

Operation b70 saw Chinese nationals working on behalf of Microsoft purchase 20 laptops and desktop computers from PC shops in various Chinese cities. All of the machines were found to be installed with counterfeit copies of Windows XP or Windows 7.

Three of the computers contained malware that had become inactive, but a fourth had a live piece of malware called Nitol.A, which awoke when the computer was connected to the internet.

Microsoft refused to name the brands of the three computers with inactive malware - instead referring to them as "major manufacturers", but the one machine with active malware was made by Hedy, a manufacturer based in Guangzhou, China, and purchased in Shenzhen.

Computers in China often leave the factory with just DOS and an operating system is installed at a later stage before being sold to consumers, and they are believed to have been infected between these two stages.

"Somewhere in that retail or wholesale supply chain, something happens," Boscovich said, adding: "What's especially disturbing is that the counterfeit software embedded with malware could have entered the chain at any point as a computer travels among companies that transport and resell the computer.

"So how can someone know if they're buying from an unsecure supply chain? One sign is a deal that appears too good to be true.

"However, sometimes people just can't tell, making the exploitation of a broken supply chain an especially dangerous vehicle for infecting people with malware."