Nitol versus Michelangelo: the supply chain is much more than the production line.
Back in the Dark Ages – well, ok, the 1990s – I was responsible for anti-virus administration (among other things) for a medical research charity called Imperial Cancer Research Fund (now Cancer Research UK) in London. One day in 1992 a couple of brand new PCs arrived on my desk in the IT unit (one for me, as it happened). It felt a bit strange to be following my own rules about scanning factory-fresh kit and installing AV, but having implemented a procedure, I felt obliged to follow it. Perhaps it was as well, since both machines turned out to be infected with the infamous Michelangelo. Disinfecting them was trivial of course, even though we didn’t use an ESET product. ;-)
But naturally, my next job was to contact the supplier and tell them they had a problem. Amusingly, they sent me a copy of Symantec’s one-shot cleaner for Michelangelo, which of course I didn’t need because I was responsible for administering a full-strength AV solution, and if I hadn’t known how to fix it, I probably wouldn’t have found it. That was neither the first nor the last time that an infection found its way into the world via a production line: consider, for example, the Welcome Datacomp trojanized keyboard, the WM/Concept macro virus, and so on. (The anchor chain in the photo is from the Museu de Marinha (Maritime Museum) in BelÃ©m, Lisbon, by the way.)
Nowadays, though, it’s far more complicated. In this case the malware is capable of spreading via USB devices, Quite a few media sources (Metro, the Guardian, the BBC) are assuming that the Nitol botnet currently getting a good kicking and lots of analysis from Microsoft is also a case of an infected system coming off a production line but they’re making an unsafe assumption. There’s a lot more to a supply chain than the production line. The number of entry points for the insertion of malicious software is so much greater, right up to the time the system hits the customer’s desk. (Without even thinking of the possibilities once the customer boots up for the first time.)
This isn’t just a known factory-specific attack like the Rakshasa Proof of Concept attack, but an attack delivered via unsecured supply chains, which means anywhere from the factory that assembled the PC (potentially even before that, if the factory sources components from outside, though I don’t know how often PC factories buy in pre-imaged hard disks) to the retailer from whom the customer received it, and also includes wholesalers (and even transport providers, in theory). More often than not the customer doesn’t know much about the manufacturing origins of the system he buys, let alone the supply chain by which it reaches him.
Here’s a switch: instead of Kevin Townsend quoting me, as he sometimes does in Infosecurity Magazine, I’m going to quote him from a conversation we had this morning, because he was right on the money:
Microsoft’s b70 report doesn’t specify where it purchased the computers. An associated blog post says just, we discovered that retailers were selling computers loaded with counterfeit versions of Windows software embedded with harmful malware. Consequently, we don’t know whether the retailers were mainstream high street’ shops that we might automatically trust, or back street second-hand market-stalls that should be distrusted anywhere in the world. The point, however, is clear: if you cannot trust your supply chain, you cannot trust your purchase.
Agreed, totally. After all, the thing can work with a USB device that could have been inserted long after the system was assembled. If an imaged disk wasn’t actually protected before it was despatched – as presumably was the case here – intentional or inadvertent infection would be all too easy.
As Dan Raywood rightly says (yes, it’s another case of the source quoting the journalist!):
…if insiders are hitting the PCs before they are shrink-wrapped and bought by unassuming consumers, then this a huge problem. A lot of computers come bundled with a 30-day trial of anti-virus software, but if the malware is already on the computer before this is installed is there any chance of saving it?
For what it’s worth, I think Microsoft’s actions will have a significant effect, at least in the short term. The 3322.org domain was responsible for a lot of malware families on tens of thousands of domains, and disrupting that has to be quite a hit on those malware operations. It doesn’t mean that all the infected systems will become uninfected, but blocking communication with C&C will certainly draw the sting of its current payloads. But it doesn’t contribute much to securing those supply chains.
But lets think back a moment to a much older malicious program that’s been in the news lately, and much on my mind.
In a well-researched and considered article on Stuxnet, The Register’s John Leyden quotes Larry Constantine as saying that Stuxnet couldn’t have escaped into the wild because it only spread on internal networks (probably true) and via USB (which isn’t the same thing, but is certainly true). Clearly his conclusion is wrong, because Stuxnet certainly did find its way into the wild: not in the sort of numbers that would put it in anyone’s list of the top ten threats, but promiscuously enough to spread way beyond the Iranian sites we’re told it was targeting.
Actually, it doesn’t mean it wasn’t a worm either: Dominic Storey’s contention that Stuxnet was not like a worm. It was written for a specific platform and its vector for spreading was from laptop to laptop or USB drive – it didn’t rip through the cosmos,” makes an assumption about the nature of worms that isn’t widely held in the anti-virus industry.
If Nitol does nothing else, it suggests that USB devices remain a distinctly practical vector for infection. But then we already knew that: you’d think that the INF/Autorun attack mostly associated with such devices would have disappeared by now, after all Microsoft’s determined efforts to remove it from Windows as a dangerous default. Yet there it is, month after month, in our own top ten threat statistics, still putting its competitors into the shade. If the supply chain is insecure, USB remains a potent means of exploiting that insecurity.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow