Nitol Infections Fall, But Malware Still Popping Up

When Microsoft went after the Nitol botnet in September, one of the key details in the investigation was the fact that much of the botnet was built by pre-loading malware onto laptops during the manufacturing process in China. This was the clearest case yet of the phenomenon of certified pre-owned devices making their way through the supply chain and into the market. As it turns out, nearly half a million of those infected machines showed up here in the U.S.

Nitol botnetWhen Microsoft went after the Nitol botnet in September, one of the key details in the investigation was the fact that much of the botnet was built by pre-loading malware onto laptops during the manufacturing process in China. This was the clearest case yet of the phenomenon of certified pre-owned devices making their way through the supply chain and into the market. As it turns out, nearly half a million of those infected machines showed up here in the U.S.

Research from Microsoft into the location of the Nitol-infected machines shows that the large majority of them are in China, nearly 800,000 of them. That’s more than 30 percent of all of the machines on which Microsoft detected the Nitol malware, and the company said that about one in every five machines purchased in China through the compromised supply chain had malware on it.

Although the number of infected systems in the United States wasn’t nearly as high as in China, Microsoft did find nearly 500,000 PCs in the U.S. loaded with Nitol, a pretty significant volume of infections.

“MMPC’s infection figures for Win32/Nitol reflect the Microsoft study, placing China on the top spot with a whopping 31.60%, way above the United States (18.51%) and Taiwan (16.79%). Thailand and Korea round out the top five,” Rex Plantodo of the Microsoft Malware Protection Center.

Microsoft began looking into the Nitol botnet more than a year ago after buying 20 laptops in China and discovering that some of them had been pre-loaded with the Nitol malware, as well as a few other pieces of malicious software. Nitol is a nasty bit of code and has quite a list of malicious capabilities. It has rootkit functionality and also can laucnh DDoS attacks on orders from a remote command-and-control server.

Microsoft’s takedown of Nitol disrupted much of the botnet’s operations, but it didn’t completely eliminate it. The company’s detections show a major drop in Nitol infections since September, but there are still more than 200,000 infections in October.


Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.