One of the most concerning parts of the Microsoft news that emerged this week was that when it bought a number of computers from China, some came infected with the Nitol botnet.
This, it said, was down to "cyber criminals infiltrating unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people's computers".
We know that computers can become infected by users visiting malicious websites, by downloading malicious files or, as was the cause in this case, using infected removable media.
The investigation said that the supply chain between a manufacturer and a consumer becomes unsecure when a distributor or reseller receives or sells products from unknown or unauthorised sources and Operation b70 discovered that retailers were selling computers loaded with counterfeit versions of Windows software embedded with malware.
The study by the Microsoft Digital Crimes Unit confirmed that cyber criminals preloaded malware in infected counterfeit software onto computers that are offered for sale to innocent people. In fact, 20 per cent of the PCs researchers bought from an unsecure supply chain were infected with malware.
Microsoft bought 20 PCs, ten desktops and ten laptops from different cities in China and found that four of the computers were infected with malicious programs, despite being sent directly from the factory.
Microsoft called it the ‘unsecure supply chains' and if insiders are hitting the PCs before they are shrink-wrapped and bought by unassuming consumers, then this a huge problem. A lot of computers come bundled with a 30-day trial of anti-virus software, but if the malware is already on the computer before this is installed is there any chance of saving it?
Tom Newton, product manager at Smoothwall, said that most cyber attacks are swift, so this change in tactics is likely to be down to increasing defences and better educated users.
“The fact criminals are getting malware pre-installed is a worrying trend, pointing to them playing the long game,” he said.
Paul Davis, director of Europe at FireEye, said that attackers are "upping their game and taking cyber crime to the next astonishing level".
He said: “If the exploitation of supply chain vulnerabilities should become an emerging trend, it should be taken very seriously indeed, as the impact could be far-reaching, costly and destructive.
“When people buy a new PC, they often expect that machine to be secure out of the box. The fact that malware is being inserted at such an early stage in the product lifecycle turns this on its head and unfortunately means that no matter how discerning a user is online, their caution becomes irrelevant if that PC is already tainted.
“With so much effort placed on educating users about safety online, it is disturbing to think that we have now entered an age where your personal information could be exposed to hackers simply by purchasing a new computer from a supposedly trusted source and switching it on.”
David Harley, senior research fellow at ESET, said that it is possible for a system to be compromised at the factory, and not necessarily deliberately, and it could happen anywhere at the factory that assembled the PC, even potentially even before that, if the factory sources components from outside.
He said: “I remember early in my anti-virus admin days, checking a couple of factory-fresh PCs for the IT department I worked in and discovering at first boot-up that they were already infected with Michelangelo.
“Not a big problem for us, but the supplier was mortified. Nowadays, though, it's far more complicated. In this case, the malware is capable of spreading via USB devices, so if an imaged disk wasn't actually protected before it was despatched - as presumably it wasn't - intentional or inadvertent infection would be all too easy.”
Harley said that the infection could have occurred at the factory, at the retailer from whom the customer received it, via the wholesalers or even the transport providers, and the fact is that the customer doesn't know much about the origins of the system he buys, let alone the supply chain by which it reaches him.
It is the capability and transparency with which the user was impacted that is concerning here, surely you can add all the security software and plug-ins that you want, but if you are infected before you begin, you are facing an uphill struggle.