Microsoft SIRLess than a month after the Nitol botnet takedown, Microsoft has released data casting more scrutiny of supply chain security. In its latest Security Intelligence Report (SIR) for the first half of 2012, Microsoft has connected the most prevalent malware families involved in supply chain compromises, including malicious add-ons pre-installed on PCs by manufacturers, as well as pirated software available on peer-to-peer networks, and music and movie downloads.

Nitol was Microsoft’s second major botnet takedown of the year. Microsoft began its investigation of Nitol more than a year ago after it found Nitol-related malware on PCs built in China running counterfeit versions of the Windows operating systems. Microsoft was able to take over more than 70,000 sub-domains hosting the botnet, which was backed by more than 500 different malware strains.

In the SIR, Microsoft reports hackers are hitting supply chains in one of two ways: one is a more traditional method of infecting networks with malware bearing file names matching popular downloads; another is the presence of what Microsoft calls indicator families on machines compromised by file-sharing or an unsecure supply chain.

The most common threat was Win32/Keygen, a key-generator utility distributed with software packages that are moved on torrent sites or other file-distribution avenues. Users run the key-generator which creates a product key required during installation; this enables the pirated software to run illegally. Microsoft said Keygen was found in 105 countries, and was a top 10 malware family in 98 percent of those countries. It was found bundled with numerous popular pirated software packages, including Adobe Photoshop, Call of Duty 4, Guitar Pro and other well-known titles.

“Installing pirated software bears significant risks. In many cases, the distributed packages contain malware alongside (or instead of) the pirated software, which takes advantage of the download and install process to infect the computers of users who download the bundles,” the report said.

Microsoft also discovered such indicator families of programs bundled with titles for freely available software such as Skype, free security software, or Adobe Flash Player; 35 different threat families were distributed with the file name install_adobeflash.exe, for example. Popular movie and music titles are also in play for these indicator families. The most prevalent ones spotted in those schemes, Microsoft said, were Win32/Sirefef, Bancos and FakeRean.

Microsoft also discovered that scams mostly carried out in Russia, Ukraine and in Western Asia, would trick users into downloading and paying for free software package; it said the Win32/Pameseg family of malware was bundled in those campaigns. The malware instructs the user to send a SMS message to a premium number to install the program.

Other indicator families identified in the report as part of such bundles are Win32/Gendows (bundled with phony Windows 7 and Vista installations); Win32/Patch (a patch that promises to remove limitations from evaluation copies of software); Win32/Wpakill (supposed bypass for product activation checks put in place by Microsoft).

 “Computers reporting detections of the six indicator families have a higher malware detection rate than those that don’t,” the report said, adding for example that 76 percent of computers reporting Keygen detections also reported detections of other threat families.

Microsoft also identified the top five pieces of malware found on computers compromised on the supply chain coupled with these indicator families. The percentage of compromised computers rose for each malware family except for Blacole, which is a detection for the Blackhole exploit kit. Infections for others such as Autorun, Pornpop, Obfuscator and Dorkbot grew almost a full percentage point in most cases.

Microsoft recommends enterprises carefully scrutinize hardware and software procurement and install clean operating system images upon delivery. It also recommends blocking peer-to-peer applications and creating clear acceptable use policies for users.

Categories: Microsoft

Comment (1)

  1. f0real
    1

    Just FYI, there are still Nitol variants strongly out in the wild. All Microsoft did was take control of 3322.org.

    Nitol is not a single botnet, so they can’t just “shut it down” in the normal sense.

    If you don’t believe me, look on VirusTotal. You will find many new nitol malware files submitted even after the supposed “takedown”.

Comments are closed.