Chinese computers come pre-installed with “malware”

Microsoft has just discovered that new computers sold in China have pre-installed malware that is hidden and waiting for orders to infiltrate users' computers, steal bank accounts and sensitive data, and remotely control computers to attack websites.

Using pirated software can easily lead to "backdoor" malware infection - Photo: Duc Thien

The event was revealed in court documents sealed on September 13 in a federal court in Virginia (USA). The information in the document describes a campaign by Microsoft against cybercriminals who are targeting the Windows operating system - the biggest target of viruses. In it, Microsoft discovered a very malicious code called Nitol.

China's "back door"

Microsoft investigators in China purchased 20 new computers from retailers and connected them to the Internet. Pirated versions of Windows were pre-installed on all of the computers, and four of them were “gifted” with malware. One computer with Nitol was the most notable because the malware immediately woke up and ran when investigators first turned it on, without any user interaction. Nitol installs backdoors that allow cybercriminals to remotely control the computer to send spam, spy on computer users, steal personal data, or attack websites. The Nitol-infected laptop was manufactured by the Hedy Computer Company in Guangzhou, China.

Microsoft documents describe how the Nitol malware works: “As soon as we turn on the machine, it starts scanning the Internet for another computer to communicate with.” The infection rate is astonishing: just plugging a USB drive containing Nitol into an infected machine will cause it to replicate itself there. Next, plugging the USB drive into any other computer will cause Nitol to rapidly infect new targets. In court documents, Microsoft provided several thousand samples of the Nitol malware, including many different variants.

According to Microsoft, despite the geographical distance, Nitol has spread rapidly to many computers in China, the United States, Russia, Australia and Germany. As the number of infected computers increases, they contribute to the creation of the Nitol botnet (a network of "ghost" computers that are remotely controlled by their owners) - a money-making tool for cybercriminals - that can threaten any computer system in the world when they reach the number of hundreds of thousands, millions or more "ghost computers" (infected computers).

During the investigation, Microsoft also discovered that all variants of Nitol on infected computers were always connected to C&C (command and control) servers related to the domain name 3322.org of a Chinese company. Microsoft accused this website of being the main center for illegal activities. This domain name is the "big house" for the operation of the Nitol malware and more than 560 other types of malware, creating the largest repository of "infected" software that Microsoft has ever encountered. Previously, US security companies had warned that the domain name 3322.org accounted for more than 17% of the world's malicious web transactions in 2009. In 2008, Kaspersky Lab (Russia) also published a security report indicating that 40% of malware programs at a time were connected to 3322.org.

David Anselmi, senior director of Microsoft's computer crime investigation department, shows the Nitol malware distribution diagram - Photo: THOMPSON/AP

Vietnamese computers may be infected

According to data from the General Statistics Office of Vietnam, in the first eight months of this year, the import turnover of electronic goods, computers and components reached 8 billion USD, a sharp increase compared to the same period last year, up to 88.7%. On the other hand, China is Vietnam's largest market with an import turnover of 18.2 billion USD, an increase of 17.9% compared to the same period in 2011. This is easily seen through the massive appearance of computers originating from China in retail stores in Vietnam.

A series of newspapers from many countries published the Nitol "malware" case.

The danger of the "back door"

According to Mr. Vo Do Thang, when a computer has a "backdoor", it can be completely controlled from the outside. Hackers can illegally access the user's computer, monitor the user's computer usage such as website access history, can steal username/password of online transactions, or can turn the computer into a tool to spread botnet to other computers...

These dangers, if they occur, can lead to serious consequences because all user activities are controlled and information is stolen. More specifically, in cases where Vietnamese users use computers to make online purchases, information such as credit cards, passwords to access bank accounts, etc. can be taken over by hackers to steal money.

A representative of a computer retailer said: most computer brands have orders for production in China, distributors in Vietnam also mainly import goods from China. Computer products can be pre-installed with software or not. Computers with copyrighted software installed have higher prices, however, retailers cannot verify the copyright of the software installed in the computer (!?).

Meanwhile, according to Microsoft’s investigation documents, many unbranded computer manufacturers and disreputable retailers have not hesitated to use pirated software pre-installed on computers to reduce costs. Consumers will have no way of knowing that the product they have just purchased has pre-installed malware with extremely dangerous “backdoors”. They have unwittingly become “very tasty” targets for cybercriminals.

Talking to us, Mr. Vo Do Thang, Director of Athena Training and Cyber ​​Security Center, said: “The characteristic of botnet is the ability to spread and disseminate very quickly through the Internet. Therefore, with the discovery of botnet and investigation by Microsoft experts, I believe that Nitol may be present in Vietnam”. According to Mr. Thang, Nitol can attack Vietnamese users by silently opening “backdoors” so that remote cybercriminals can illegally access users’ computers. This process takes place very quietly, so it is very difficult for end users without specialized knowledge to detect.

Previously, Kaspersky Lab Security Company has made detailed discoveries about the most dangerous spyware today such as Flame, Madi - computer malware that specializes in serving requests to steal confidential information from sensitive systems including nuclear plants and government computer systems. Mr. Jimmy Low, Southeast Asia security expert of Kaspersky Lab Security Company, once warned: "Because Flame's control centers (C&C servers - command and control servers) were found in China and India - the two largest countries in Asia - I think that cybercriminals can completely use similar C&C servers to attack targets in Vietnam or Southeast Asia if they want."

How to prevent "back door"

Mr. Vo Do Thang said that to prevent being hacked through the "back door", users should not access websites or download and install software from unknown sources. At the same time, users should regularly update anti-virus programs, firewall programs to protect personal computers and programs to detect websites with malware, spyware such as Mcafee SiteAdvisor... This program will warn users when they access websites with malware, spyware, "back doors"..., and at the same time prevent further access to avoid computer infection.

According to Tuoitre-M