Nitol Botnet: You Will Never Break The Chain


Back in the Dark Ages – well, ok, the 1990s – I was responsible for anti-virus administration (among other things) for a medical research charity called Imperial Cancer Research Fund (now Cancer Research UK) in London. One day in 1992 a couple of brand new PCs arrived on my desk in the IT unit (one for me, as it happened). It felt a bit strange to be following my own rules about scanning factory-fresh kit and installing AV, but having implemented a procedure, I felt obliged to follow it. Perhaps it was as well, since both machines turned out to be infected with the infamous Michelangelo. Disinfecting them was trivial of course, even though we didn’t use an ESET product. ;-)

But naturally, my next job was to contact the supplier and tell them they had a problem. Amusingly, they sent me a copy of Symantec’s one-shot cleaner for Michelangelo, which of course I didn’t need because I was responsible for administering a full-strength AV solution, and if I hadn’t known how to fix it, I probably wouldn’t have found it. That was neither the first nor the last time that an infection found its way into the world via a production line: consider, for example, the Welcome Datacomp trojanized keyboard, the WM/Concept macro virus, and so on. (The anchor chain in the photo is from the Museu de Marinha (Maritime Museum) in Belém, Lisbon, by the way.)

Nowadays, though, it’s far more complicated. In this case the malware is capable of spreading via USB devices, Quite a few media sources (Metro, the Guardian, the BBC) are assuming that the Nitol botnet currently getting a good kicking   and lots of analysis from Microsoft is also a case of an infected system coming off a production line but they’re making an unsafe assumption. There’s a lot more to a supply chain than the production line. The number of entry points for the insertion of malicious software is so much greater, right up to the time the system hits the customer’s desk. (Without even thinking of the possibilities once the customer boots up for the first time.)

This isn’t just a known factory-specific attack like the Rakshasa Proof of Concept attack, but an attack delivered via unsecured supply chains, which means anywhere from the factory that assembled the PC (potentially even before that, if the factory sources components from outside, though I don’t know how often PC factories buy in pre-imaged hard disks) to the retailer from whom the customer received it, and also includes wholesalers (and even transport providers, in theory). More often than not the customer doesn’t know much about the manufacturing origins of the system he buys, let alone the supply chain by which it reaches him.

Here’s a switch: instead of Kevin Townsend quoting me, as he sometimes does in Infosecurity Magazine, I’m going to quote him from a conversation we had this morning, because he was right on the money:

Microsoft’s b70 report doesn’t specify where it purchased the computers. An associated blog post says just, we discovered that retailers were selling computers loaded with counterfeit versions of Windows software embedded with harmful malware. Consequently, we don’t know whether the retailers were mainstream high street’ shops that we might automatically trust, or back street second-hand market-stalls that should be distrusted anywhere in the world. The point, however, is clear: if you cannot trust your supply chain, you cannot trust your purchase.

Agreed, totally. After all, the thing can work with a USB device that could have been inserted long after the system was assembled. If an imaged disk wasn’t actually protected before it was despatched – as presumably was the case here – intentional or inadvertent infection would be all too easy.

As Dan Raywood rightly says (yes, it’s another case of the source quoting the journalist!):

…if insiders are hitting the PCs before they are shrink-wrapped and bought by unassuming consumers, then this a  huge problem.  A lot of computers come bundled with a 30-day trial of anti-virus software, but if the malware is already on  the computer  before this is installed is there any chance of saving it?

For what it’s worth, I think Microsoft’s actions will have a significant effect, at least in the short term. The domain was responsible for a lot of malware families on tens of thousands of domains, and disrupting that has to be quite a hit on those malware operations. It doesn’t mean that all the infected systems will become uninfected, but blocking communication with C&C will certainly draw the sting of its current payloads.  But it doesn’t contribute much to securing those supply chains.

But lets think back a moment to a much older malicious program that’s been in the news lately, and much on my mind.

In a well-researched and considered article on Stuxnet, The Register’s John Leyden quotes Larry Constantine as saying that Stuxnet couldn’t have escaped into the wild because it only spread on internal networks (probably true) and via USB (which isn’t the same thing, but is certainly true). Clearly his conclusion is wrong, because Stuxnet certainly did find its way into the wild: not in the sort of numbers that would put it in anyone’s list of the top ten threats, but promiscuously enough to spread way beyond the Iranian sites we’re told it was targeting.

Actually, it doesn’t mean it wasn’t a worm either: Dominic Storey’s contention that Stuxnet was not like a worm. It was written for a specific platform and its vector for spreading was from laptop to laptop or USB drive – it didn’t rip through the cosmos,” makes an assumption about the nature of worms that isn’t widely held in the anti-virus industry.

If Nitol does nothing else, it suggests that USB devices remain a distinctly practical vector for infection. But then we already knew that: you’d think that the INF/Autorun attack mostly associated with such devices would have disappeared by now, after all Microsoft’s determined efforts to remove it from Windows as a dangerous default. Yet there it is, month after month, in our own top ten threat statistics, still putting its competitors into the shade. If the supply chain is insecure, USB remains a potent means of exploiting that insecurity.

ESET Senior Research Fellow

Author David Harley, ESET

  • Larry Constantine (Lior Samson)

    Actually, David, I was not claiming that Stuxnet did not escape into the wild, but that the particular scenario by which Sanger in his articles and book claimed the malware had escaped ranged from the highly implausible to the technologically impossible. The maps from Symantec suggest that the majority of infections were in closely related clusters that implied direct communication via intranet, VPN, or portable media (sneakernet). The software was never equipped for broad transmission and infection over the Internet.
    My point was that the media should not give a blanket pass to Sanger but be more credulous about the technical and political claims in his reportage. He clearly got some things very wrong, but mainstream media are ignoring the fact, which calls into questions his sources, their agenda, or his interpretation, understanding, and reporting about these.
    I am not and have never claimed myself to be an expert in networking or industrial security. I do have enough experience in industrial control systems (I helped Siemens design part of its STEP 7 series of PLC programming tools, the very tools that were compromised by Stuxnet) to know that Sanger's narrative is not believable.
    My IEEE Spectrum interview (thanks, Steven Cherry) was just about getting a more skeptical and incredulous view out there, to stimulate debate among experts, and hopefully get the mainstream media dogging the footsteps of journalists who claim to be reporting the inside truth on stories of international importance.
    I have been trying to raise awareness of the vulnerability of industrial control systems in general and critical infrastructure for a very long time through both my professional publications and fiction (e.g., Web Games). So my agenda goes considerably beyojnd Sanger and Stuxnet to the still broader issues.
    –Prof. Larry Constantine (pen name, Lior Samson)

    • David Harley

      Thanks for your comment, Larry. I understand that your primary concern was the media’s credulous assumption that Sanger’s assertions are gospel truth, and I think that’s right. I readily admit that I haven’t read his book, but the 2nd-hand summaries I’ve seen don’t suggest pinpoint accuracy in all respects. If you’ve read John Leyden’s article in the Register, you’ll probably accept that in most respects we – the ESET researchers who responded to John Leyden’s request for technical information – were broadly in agreement with you. We couldn’t say it was totally impossible for Stuxnet to spread across the internet, but we agreed that the Sanger scenario as you described it was unlikely. As for whether Stuxnet went feral, I guess I can see in the light of your comment that when you said “First of all, the Stuxnet worm did not escape into the wild” you probably meant it didn’t escape into the wild as per Sanger’s scenario, in which case you’re probably right. However, the Cherry interview clearly suggested that Stuxnet wasn’t widespread. That’s true in the sense that tens of thousands of infections for a single family doesn’t generally make much of a blip on the radar: we see far more samples in a single day than that. But in the sense that this was a single family rather than a highly generic detection like INF/Autorun, it’s a significant if transient blip. But its infective capabilities via USB probably account for that better than a speculative back-infection from a PLC, so we’re not really disagreeing about that. The point, as far as I’m concerned, is that in my industry, the difference between in the wild and not in the wild can be a lot less than the 100,000 infections cited by Symantec. (FWIW, we have figures that broadly agree with theirs: I just cited Symantec because that was the source you used.) I suspect that distinction is more important to me than it is to you: that doesn’t make either of us wrong, but it still has importance in this corner of the the security industry. I’m no more a SCADA expert than you are an AV expert (probably less!), but I understand enough to agree totally with your broader agenda. Perhaps the best thing about this discussion is that Leyden did actually go out of his way to get some considered opinion across a range of expertise, rather than uncritically quote a single source and maybe lift a couple of soundbites from elsewhere. If there are journalists who are actually prepared to do research, there’s some hope for both our agendas. :)

  • Larry Constantine (Lior Samson)

    Both you and Leyden over at the Register show professionalism and attention to detail at its best. I appreciate the reasoned and measured response. We'll see whether any of this skeptical re-examination ever makes it into the mainstream press.

Follow us

Copyright © 2017 ESET, All Rights Reserved.