What is interesting in this investigation is that Microsoft is putting the blame on counterfeit software. Although there is a proven correlation between some pirated software and malware it is not exactly the main method of infection for most malware. What is very interesting about Nitol is that unlike most other malware we are not finding a method of infection readily available on any of the descriptions for the Malware. Even on Microsoft’s definition of the Trojan it skates over the whole subject saying only that it cannot spread on its own. It also seems that this type of "pre-installed" infection only exists in China as we have not heard of any studies Microsoft has conducted in other countries.

This leaves a lot of options for spreading the malware including the use of drive by attacks. We imagine that the majority of systems that get infected with Nitol are either hit with a drive by or through corrupted email attachments. However, pointing out that it showed up in counterfeit software helps Microsoft to hammer home the dangers of using pirated software to the consumer. To them this move and “study” is almost a win-win. They close down a bot-net and perhaps scare a few people away from grabbing that “free” software they saw on a search engine.

Based on both the potential threat that Microsoft painted and the link to counterfeit software Microsoft was able to get permission to seize the domain 3322.org which was appears to host the command and control servers for the malware. This move will interrupt communications to some systems, but it is unlikely to stop the virus completely. So we are split on our feelings about this move. On the one hand we are happy that Microsoft did something to help slow the spread of a botnet down, but their methods are concerning. The link between Nitol and pirated software is thin only 4 out of the 20 purchased were infected. Coincidentally they all had counterfeit version of software on them; how many of the remaining 16 had counterfeit software, but no infection? That number is statistically important. If the majority had counterfeit software and no infection then it means the connection Microsoft used was an inaccurate one.

Although we hope that this does not happen, we are expecting Microsoft to continue to build on the connection between piracy and malware. Doing this helps them in a few key areas; it justifies their closing the boot process as well as their limits on side loading applications. Microsoft may also feel that they can scare people away from using pirated copies of Windows by proving this link. What they are missing is that there are more infections spread through drive by attacks and corrupted attachments than piracy. Closing off the boot process and limiting programmatic access to applications only favors the malware writers. It will hinder if not actually prevent security firms from developing detection, prevention and removal tools. We already know that Windows 8 is vulnerable to existing exploits like Black Hole 2 so it is only a matter of time before we see the first Windows 8 botnets and mass infections. When those start happening Microsoft’s links between Malware and piracy will not help them at all.

Discuss this in our Forum