WASHINGTON—A customer in Shenzhen, China, took a brand new laptop out of its box and booted it up for the first time. But as the screen lit up the computer took on a life of its own, triggered by a virus hidden in its hard drive, and began searching across the Internet for another computer.
The laptop, supposedly in direct-from-the-factory condition, had instantly become part of an illegal, global network capable of attacking websites, looting bank accounts and stealing personal data.
For years, online investigators have warned consumers about the dangers of opening or downloading files. Now, they say malicious software and computer code could be lurking on computers before the bubble wrap even comes off.
The shopper in this case was part of a team of Microsoft researchers in China investigating the sale of counterfeit software. They suddenly had been introduced to a malware called Nitol. The incident was revealed in court documents unsealed in a federal court in Virginia.
The investigation by Microsoft’s digital crimes unit began in August 2011 as a study into the sale and distribution of counterfeit versions of Windows.
Microsoft employees in China bought 20 new computers from retailers and found forged versions of Windows on all the machines and malware pre-installed on four. The one with Nitol, however, was the most alarming because the malware was active.
“As soon as we powered on this particular computer, of its own accord without any instruction from us, it began reaching out across the Internet, attempting to contact a computer unfamiliar to us,” Stratton said in the document filed with the court.
The laptop was made by Hedy, a computer manufacturer in Guangzhou, China, according to the court records. The company, reached by phone, declined to answer questions.
Stratton and his colleagues also found Nitol to be highly contagious. They inserted a thumb drive into the computer and the virus immediately copied itself onto it. When the drive was inserted into a separate machine, Nitol quickly copied itself again.
The documents these events were gleaned from are part of a computer fraud lawsuit filed by Microsoft against a web domain registered to a Chinese businessman named Peng Yong. The domain is home base for Nitol and more than 500 other types of malware, making it the largest single repository of infected software that Microsoft officials have ever encountered.
Peng, the owner of an Internet services firm, denied the allegations and said his company does not tolerate improper conduct on the domain, 3322.org.
What emerges most vividly from the court records and interviews with Microsoft officials is a disturbing picture of weaknesses in computer supply chains. To increase profit margins, less reputable computer manufacturers and retailers may use counterfeit copies of popular software products to build machines more cheaply.
“They’re really changing the ways they try to attack you,” said Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft’s digital crimes unit.
And distance doesn’t equal safety. Nitol, for example, is an aggressive virus found on computers in China, the U.S., Russia, Australia and Germany. Microsoft has even identified servers in the Cayman Islands controlling Nitol-infected machines. All these compromised computers become part of a botnet—a collection of compromised computers—one of the most invasive and persistent forms of cybercrime.
Nitol, meanwhile, appears poised to strike. Infection rates have peaked, according to Patrick Stratton, a senior manager in Microsoft’s digital crimes unit who filed a document in the court case explaining Nitol and its connection to the 3322.org domain.
Microsoft examined thousands of samples of Nitol, which has several variants, and all of them connected to command-and-control servers associated with the 3322.org domain, according to the court records.
3322.org accounted for more than 17 per cent of the world’s malicious web transactions in 2009, according to Zscaler, a computer security firm in San Jose, California. In 2008, Russian security company Kaspersky Lab reported that 40 per cent of all malware programs, at one point or another, connected to 3322.org.
Associated Press researcher Fu Ting in Shanghai contributed to this report.