The machine, triggered by a virus hidden in its hard drive, began searching across the Web for another computer.
The laptop, supposedly in pristine, super-fast, direct-from-the-factory condition, had instantly become part of an illegal, global network capable of attacking websites, looting bank accounts and stealing personal data.
For years, online investigators have warned consumers about the dangers of opening or downloading files emailed to them from unknown or suspicious sources. Now, they say malicious software and computer code could be lurking on computers before the bubble wrap even comes off.
Microsoft investigators find Nitol
The shopper in this case was part of a team of Microsoft researchers in China investigating the sale of counterfeit software. They suddenly had been introduced to a malware called Nitol.
The incident was revealed in court documents unsealed Thursday in a federal court in Virginia. The records describe a new front in a legal campaign against cybercrime being waged by the maker of the Windows operating system, which is a big target for viruses.
The documents are part of a computer fraud lawsuit filed by Microsoft against a web domain registered to a Chinese businessman named Peng Yong. The company says it is a major hub for illicit Internet activity.
The domain is home base for Nitol and more than 500 other types of malware, making it the largest single repository of infected software that Microsoft officials have ever encountered.
Peng, the owner of an Internet services firm, said he was not aware of the Microsoft lawsuit but he denied the allegations and said his company does not tolerate improper conduct on the domain, 3322.org. Three other unidentified individuals accused by Microsoft of establishing and operating the Nitol network are also named in the suit.
Nitol quickly copies itself, spreads
Patrick Stratton, a senior manager in Microsoft’s digital crimes unit, and his colleagues found Nitol to be highly contagious. They inserted a thumb drive into the computer and the virus immediately copied itself onto it. When the drive was inserted into a separate machine, Nitol quickly copied itself on to it.
Microsoft examined thousands of samples of Nitol, which has several variants, and all of them connected to command-and-control servers associated with the 3322.org domain, according to the court records.
37 million contacts blocked
U.S. District Judge Gerald Bruce Lee, who is presiding in the case, granted a request from Microsoft to begin steering Internet traffic from 3322.org that has been infected by Nitol and other malwares to a special site called a sinkhole.
From there, Microsoft can alert affected computer users to update their anti-virus protection and remove Nitol from their machines.
Since Lee issued the order, more than 37 million malware connections have been blocked from 3322.org, according to Microsoft.
