Internal affairs, cybercriminals target the production line

14 septembre 2012

Defending yourself against external malware attacks may be one thing, but cybercriminals are starting to use fifth column tactics to get around data loss prevention protocols.

According to the BBC, an internal investigation by Microsoft revealed that computers fresh off the assembly line had already been targeted by criminals, with viruses installed before the product was even boxed. Digital crime investigators working for the technology giant bought a number of PCs, laptops and desktops from different cities in China, discovering that the Nitol botnet had apparently been pre-installed by workers on the production line.

At least four of the 40 products bought by investigators contained malware, with Nitol identified as the most dangerous by data protection experts employed by the global manufacturer. Microsoft set up a series of operations to locate and shut down the virus, which attempted to contact its command and control center as soon as the computer was turned on, leading the firm to believe that cybercriminals were exploiting "insecure supply chains" to get past legitimate web security measures.

Remotely turned on
Writing on the company blog, Richard Boscovich, a lawyer in the digital crimes unit at the firm, said that Microsoft had "found malware capable of remotely turning on an infected computer's microphone and video camera, potentially giving a cybercriminal eyes and ears into a victim's home or business."

"What’s especially disturbing is that the counterfeit software embedded with malware could have entered the chain at any point as a computer travels among companies that transport and resell the computer, " Boscovich commented, adding that this new tactic made "the exploitation of a broken supply chain an especially dangerous vehicle for infecting people with malware. "

Microsoft's investigation, which they codenamed 'Operation b70', revealed that Nitol was being run from a web domain that had been involved in cybercrime since 2008. Apart from the newly discovered virus, the domain,3322.org, contained 70,000 separate sub-domains that used 500 individual strains of malware to steal data from unsuspecting users.

Digging deeper in Nitol
The company has successfully applied for permission from a U.S. court to dive deeper into the network of compromised PCs that have been infected with Nitol. The owner of the domain name, Peng Yong, a Chinese national, has denied that he is responsible and that his organization had a "zero tolerance attitude to illegal activity."

Having been allowed to take over the hosting of the 3322.org domain, Microsoft will now filter out illegitimate data and block any traffic that has been stolen by the virus.

"Cybercriminals have made it clear that anyone with a computer could become an unwitting mule for malware; today’s action is a step toward preventing that," said Boscovich.

Cybercriminals and hackers' attempt to introduce malware at source follows a recent attack on 30,000 computers at Saudi Aramco, a state-owned oil company in the Middle East. The Shamoon virus was introduced into the company network and, according to Reuters, sources connected to the internal investigation claimed that it "was someone who had inside knowledge and inside privileges within the company."

While these two incidents may seem unrelated, they highlight a growing concern among companies that fend off malware attacks on a regular basis. Data security in cloud computing may be grabbing the headlines and focusing attention on ensuring that protocols are adequate to deflect an external hack, but if the virus is embedded by an employee or compromised worker, then how can you protect yourselves?

The answer to that is that you probably can't, and without vetting every single person connected with the product, companies may struggle to find the cuckoo in the nest. Microsoft may feel that it has secured a minor victory against malicious intent, but the war against cybercrime has a long way to go.

-McAfee Cloud Security