Saturday, 15 September 2012 16:23

Microsoft Links Malware and Piracy To Close Down Nitol Botnet

Written by
Rate this item
(0 votes)

Reading time is around minutes.
News light-virus-1

There is nothing like buy a brand new PC complete with Malware designed to steal your personal information. Unfortunately that is exactly what has happened in a few stores in China. Microsoft conducted an investigation into the Nitol Botnet and during this investigation delved into some of the supply chain to Chinese retailers. What they found was that many computers are infected before they leave the factories. According to Microsoft the bought 20 computers from different locations in China and out of the twenty only 4 were found to be infected with Malware.

What is interesting in this investigation is that Microsoft is putting the blame on counterfeit software. Although there is a proven correlation between some pirated software and malware it is not exactly the main method of infection for most malware. What is very interesting about Nitol is that unlike most other malware we are not finding a method of infection readily available on any of the descriptions for the Malware. Even on Microsoft’s definition of the Trojan it skates over the whole subject saying only that it cannot spread on its own. It also seems that this type of "pre-installed" infection only exists in China as we have not heard of any studies Microsoft has conducted in other countries.

This leaves a lot of options for spreading the malware including the use of drive by attacks. We imagine that the majority of systems that get infected with Nitol are either hit with a drive by or through corrupted email attachments. However, pointing out that it showed up in counterfeit software helps Microsoft to hammer home the dangers of using pirated software to the consumer. To them this move and “study” is almost a win-win. They close down a bot-net and perhaps scare a few people away from grabbing that “free” software they saw on a search engine.

Based on both the potential threat that Microsoft painted and the link to counterfeit software Microsoft was able to get permission to seize the domain which was appears to host the command and control servers for the malware. This move will interrupt communications to some systems, but it is unlikely to stop the virus completely. So we are split on our feelings about this move. On the one hand we are happy that Microsoft did something to help slow the spread of a botnet down, but their methods are concerning. The link between Nitol and pirated software is thin only 4 out of the 20 purchased were infected. Coincidentally they all had counterfeit version of software on them; how many of the remaining 16 had counterfeit software, but no infection? That number is statistically important. If the majority had counterfeit software and no infection then it means the connection Microsoft used was an inaccurate one.

Although we hope that this does not happen, we are expecting Microsoft to continue to build on the connection between piracy and malware. Doing this helps them in a few key areas; it justifies their closing the boot process as well as their limits on side loading applications. Microsoft may also feel that they can scare people away from using pirated copies of Windows by proving this link. What they are missing is that there are more infections spread through drive by attacks and corrupted attachments than piracy. Closing off the boot process and limiting programmatic access to applications only favors the malware writers. It will hinder if not actually prevent security firms from developing detection, prevention and removal tools. We already know that Windows 8 is vulnerable to existing exploits like Black Hole 2 so it is only a matter of time before we see the first Windows 8 botnets and mass infections. When those start happening Microsoft’s links between Malware and piracy will not help them at all.

Discuss this in our Forum

Read 4125 times Last modified on Saturday, 15 September 2012 16:31

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.