Pity the poor cyber criminal -- there are only so many to spread maliciousness without getting caught. One avenue, at least, doesn't require phishing emails or drive-by downloads. I'm talking about hardware infected before it ships to users or PC sellers.
In recent court filings and a white paper (PDF), Microsoft revealed that four of 20 brand-new computers bought in China contained malware out of the box. Each of the four contained different strains of malware. When the new computers were turned on, the malware activated and, in some cases, tried to dial "home" to command-and-control servers.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's "Fight Today's Malware" Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
Although this particular incident involved only Chinese computers, which would purportedly be sold primarily to Chinese buyers, the findings could be applied to any other country. Plenty of new computer products -- not just PCs -- have been sold in the United States that arrived with a pre-installed malicious infection. Over the last decade, there have been acute breakouts among products that had computer viruses and worms pre-installed, including digital picture frames.
What Microsoft discovered is that electronics manufacturers' products were being compromised by insecure supply chains. In most cases, the manufacturers were buying, either knowingly or unknowingly, low-cost counterfeit software loaded with malware. Once the counterfeit software is installed, it's ultimately delivered to unsuspecting consumers.
Under its Active Response for Security program, Microsoft was able to determine that some of the malware strains were dialing back to a parent domain, 3322.org, long known to host malware. Microsoft found "a staggering 500 different strains of malware hosted on more than 70,000 subdomains." The company successfully filed a court order on September 10, took control of the malicious domain, and named its owner "Peng Yong, his company, and other John Does" as defendants.
How can you protect yourself? The real answer is you can't. You can never be assured that any computer device you buy is completely harmless and always only does what it is intended by the buyer to do.
But certainly buying reputable brands and avoiding lowest-cost manufacturers could help decrease risk from this particular type of attack. Luckily, these types of attacks are exceedingly rare, especially when compared to the already highly successful malware campaigns that make up the majority of computer-based exploitations today.
Microsoft's discovery is a big win for the good guys. But it also shows the lengths that cyber criminals will go to in order to exploit people. You no longer need to visit malware-hosting websites or open malicious emails. All you need to do is to buy a brand-new device that turns out to be, as car dealerships like to say, is "pre-owned."
Full disclosure: I work for a different security research team at Microsoft.
This story, "Brand-new hardware -- now with malware pre-installed!," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.