WASHINGTON — A customer in Shenzhen, China, took a new laptop out of its box and booted it up for the first time. But as the screen lit up, the computer began taking on a life of its own. The machine, triggered by a virus hidden in its hard drive, began searching across the Internet for another computer.
The laptop, supposedly in pristine, superfast, direct-from-the-factory condition, had instantly become part of an illegal, global network capable of attacking websites, looting bank accounts and stealing personal data.
The shopper in this case was part of a team of Microsoft researchers in China investigating the sale of counterfeit software. They suddenly had been introduced to a malware called Nitol. The incident was revealed in court documents unsealed Thursday in a federal court in Virginia. The records describe a new front in a legal campaign against cybercrime being waged by the maker of the Windows operating system, the biggest target for viruses.
The documents are part of a computer fraud lawsuit filed by Microsoft against a Web domain registered to a Chinese businessman named Peng Yong. The company says it is a major hub for illicit Internet activity. The domain is home base for Nitol and more than 500 other types of malware, making it the largest single repository of infected software that Microsoft officials have ever encountered.
What emerges most vividly from the court records and interviews with Microsoft officials is a disturbing picture of how vulnerable Internet users have become, in part because of weaknesses in computer supply chains. To increase their profit margins, less reputable computer manufacturers and retailers may use counterfeit copies of popular software products to build machines more cheaply, leaving openings for cybercriminals.
"They're really changing the ways they try to attack you," said Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft's digital crimes unit.
More than Microsoft's image is at stake when counterfeit products are tainted by malware that spreads so rapidly, he said. "It's now become a security issue," he said.
Patrick Stratton, a senior manager in Microsoft's digital crimes unit, and his colleagues inserted a thumb drive into the computer made in China and Nitol immediately copied itself onto it. When the drive was inserted into a separate machine, the virus quickly copied itself onto it.
Microsoft examined thousands of samples of Nitol, which has several variants, and all of them connected to command-and-control servers associated with the 3322.org domain, run by Peng, according to the court records.
"In short, 3322.org is a major hub of illegal Internet activity, used by criminals every minute of every day to pump malware and instructions to the computers of innocent people worldwide," Microsoft said.
U.S. District Judge Gerald Bruce Lee, who is presiding in the case, granted Microsoft's request to begin steering Internet traffic from 3322.org that has been infected by Nitol and other malwares to a site called a sinkhole. From there, Microsoft alerts affected computer users to update antivirus protections and remove Nitol from their machines.
Since Lee issued the order, more than 37 million malware connections have been blocked from 3322.org, Microsoft says.