As mentioned in our previous post, Microsoft's study [PDF] behind Operation b70 found that PC consumers might be at risk of malware infection even with brand new computers, if the computers come pre-installed with counterfeit versions of Windows software. This is what happened to some consumers in China who purchased their computers from an untrusted supply chain. A staggering 4 out of 20 machines were found to be infected with malware, and one of those infectors was Nitol.

MMPC's infection figures for Win32/Nitol reflect the Microsoft study, placing China on the top spot with a whopping 31.60%, way above the United States (18.51%) and Taiwan (16.79%). Thailand and Korea round out the top five. The complete list is shown below in Figure 1:

Figure 1 - Top 10 countries with Win32/Nitol detections (January to October 2012)

Figure 1 - Top 10 countries with Win32/Nitol detections (January 2012 to October 2012)

We've had detection for Win32/Nitol as early as December 2010, though the chart in Figure 1 shows its prevalence report from January 2012 to present. Figure 2 shows the global daily volume report from the same period. As seen in Figure 2, there was a significant infection increase starting mid-April, followed by a smaller incline. We improved the detection to have even better coverage after the takedown; which explains at least part of the spike in the later part of September.

Figure 2 – Win32/Nitol daily report volume from the top four countries (January 2012 to October 2012)

Figure 2 – Win32/Nitol daily report volume from the top four countries (January 2012 to October 2012)

DDos:Win32/Nitol.A and DDoS:Win32/Nitol.B variants were the most active, comprising 99% of the combined Win32/Nitol family detection. Thus, they were the variants most directly affected by the takedown. As shown in Figure 3, Win32/Nitol detections rose sharply from April to early-September. Then, after the takedown, detection reports promptly fell.

Figure 3 – Monthly report volume for Win32/Nitol (January 2011 to October 2012)

Figure 3 – Monthly report volume for Win32/Nitol (January 2011 to October 2012)

The MSRT effect

This month’s MSRT included two prevalent families - Win32/Onescan, which is a Korean rogue software, and Win32/Nitol. Within the first two days of MSRT release, Win32/Onescan was our top family detected and cleaned by the MSRT tool, while Win32/Nitol took the 9th spot.

After one week of report monitoring, while Win32/Onescan was still on top and had been cleaned from almost 1,000,000 machines, Win32/Nitol had slipped to the 11th spot, having been removed from over 36,000 machines.

Win32/Nitol’s numbers are something within our expectation. The recent takedown which disrupted a large percentage of Win32/Nitol’s C&C (command and control) infrastructure is a big factor in explaning why Win32/Nitol’s prevalence has been dropping considerably.

Figure 4 – MSRT top 10 families

Figure 4 – MSRT top 15 families after one week

 

Rex Plantado
MMPC Vancouver