A spokeswoman told the BBC that the culprit was further down the supply chain, likely a "distributor, transporter or reseller."
Microsoft investigators bought several PCs, desktops and laptops from stores in different cities in China and found that 20% were already infected with the Nitol botnet. The software giant had been looking into reports of pirated Windows software being installed on machines, and found that cybercriminals were infiltrating insecure supply chains to introduce malware. Where in the supply chain, Microsoft did not specify.
After a PC rolls off the line at the factory, it is then sent on to a Microsoft distributor – who often works at the behest of the Samsungs and the Dells of the world – to be populated with the Windows operating system software. It may then be delivered to a different software distributor to be loaded with whatever native apps the OEM is including in its offer, or it may be sent to a reseller’s production facility to be loaded with differentiating programs and applications specific to that reseller’s offering. Then, it is packaged and delivered to the warehouse for shipping. At any of these points, a less-than-scrupulous operator would have the opportunity to introduce malware.
The discovery sparked legal action and a technical offensive from Microsoft to seize control of a Chinese server called 3322.org, which was found to be hosting the command & control servers for Nitol and other malware. Microsoft won its case and is now filtering out legitimate data on the site and blocking traffic generated by the viruses.
Nonetheless, the gambit points out a new vector for cybercrime – hidden, “native” malware capable of keystroke logging or stealing passwords for underground virtual criminals would be very difficult for the average consumer, who trust that a machine fresh out of the box would be safe, to detect and remove.