Microsoft Crimes Unit: Insecure Supply Chains, Pre-infected Hardware News

Microsoft Crimes Unit attorneys today announced a break in their case against hackers embedding and infecting computers pre-sale — at manufacturing or middleman level. Really? Tom Ewing has more. Lots more investigating to do here, but this is the most clear and comprehensive coverage of this odd and long-running story I’ve seen yet.

Microsoft has for years been pursuing hackers dogging it with malware, but this week a Microsoft lawyer from the giant’s Digital Crimes Unit announced on a blog post that supply chains and middle men are vulnerable to malware-equipped criminals, too.

And it’s doing something about it. There were new developments on this story today, which we’ve been following for you.

Bottom line: Microsoft Crimes Unit officials say it is possible to buy a brand new but pre-infected computer. It perhaps might be common, though background is necessary for that statement, despite Microsoft’s long investigation into the issue. Microsoft makes this latest claim based on one study, in which reps purchased 20 computers from a Chinese retailer and found at least one and perhaps as many as four were  pre-infected. One was infected with the Nitol virus. In a related arena, Microsoft is arguing in at least two federal courts that hackers — John Does going by hacker handles — are infecting tech at the manufacturing level.

Microsoft in a blog today said it won permission from a federal court to disrupt the malware on infected computers in the wild and, presumably, in manufacturing.

What does disrupt mean exactly? MS reps were not available for comment. Read the blog below — and that court ruling today that MS says supports its so-called project b70 to take down malware makers. Find the court ruling below the fold.

Microsoft’s Richard Domingues Boscovich, Assistant General Counsel of the Microsoft Digital Crimes Unit, today wrote this in a Microsoft blog post:

Earlier this week, the U.S. District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people. Codenamed “Operation b70,” this legal action and technical disruption proceeded from a Microsoft study, which found that cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers. In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet, our second botnet disruption in the last six months. Read FULL POST HERE.

Microsoft also has accused two other parties of hackers, it says, who it claims send Zeus “builder kits” that sell for $700 to $15,000, depending on features and customizations. These kits contain software that enable other defendants to generate executable botnet code, configuration files, and web server files that they deploy on command and control servers.

The complaint names some 39 John Does because the defendant’s legal names could not be determined when the case was filed.  A few of the defendants have come forward, and the plaintiffs settled with two of them Yevhen Kulibaba and Yuriy Konovalenko in late August.

Microsoft said its study — a group of studies, from the way Microsoft describes them — revealed 500 strains of malware in addition to its Nitol find mentioned in its purchase of 20 PCs in China above. And the bad boys it’s suing — the John Does in the following two cases, embedded below —  are the real target, anyway.

Our security expert Eric Finkenbiner, who works in IT at the Department of State and is based in Rangoon, had this to add: “All it takes one smart nerd with a botnet and a day job at one of these manufacturers. Even though (some) suggest that counterfeit software (installed) by manufacturer is to blame, I can’t see any reason why a determined individual working a hardware company couldn’t embed malware from the source.”

That said, our security and senior tech ed Eric Finkenbiner added we should be careful not to overstate this story, as inside security folk have been dealing with these issues for years. Take the issues Microsoft historically has faced regarding piracy in China. “Maybe we shouldn’t be manufacturing our stuff there.”

There’s a thought. Without total control over incidents like hackers embedding malware at production levels, you’ve got another question aching for an answer. What of industrial espionage?

Bottom line: Microsoft’s Digital Crimes Unit thinks a middleman between your computer’s manufacturer and you might have put something on your machine. I’ll continue to follow this story. For aNewDomain.net, I’m Tom Ewing.

http://www.microsoft.com/en-us/news/videos/videodetail.aspx?uuid=e7f50631-94b0-45a6-9bac-ec902c52f9a9

In its complaint, Microsoft claims that the defendants, predominantly have used their Zeus Botnets to infect over 13 million computers on the Internet, which were then used to steal over $100 million during the past five years.

Read the full complaint below the fold.Microsoft’s Richard Domingues Boscovich, Assistant General Counsel of the Microsoft Digital Crimes Unit, today wrote this in a Microsoft blog post:

Earlier this week, the U.S. District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people. Codenamed “Operation b70,” this legal action and technical disruption proceeded from a Microsoft study, which found that cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers. In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet, our second botnet disruption in the last six months. Read FULL POST HERE.

Microsoft has also accused some of the defendants of selling Zeus “builder kits” that sell for $700 to $15,000, depending on features and customizations. These kits contain software that enable other Defendants to generate executable botnet code, configuration files, and web server files that they deploy on command and control servers.The complaint names some 39 John Does because the defendant’s legal names could not be determined when the case was filed.  A few of the defendants have come forward, and the plaintiffs settled with two of them Yevhen Kulibaba and Yuriy Konovalenko in late August.The complaint is readable in Scribd below.SupplychainComplaint (MS v Does)

About the author

Tom Ewing

Based in San Francisco, Tom Ewing leads our legal coverage here at aNewDomain.net. He also is a commercial lawyer specializing in intellectual property and the founder of avancept.com. IAM Magazine has named Tom one of the world’s top 250 IP strategists each year since 2009. Email him at Tom@aNewDomain.net. He's +Tom Ewing on Google+