This latest mass infection is through a vector I really don’t understand, see as though you can legitimately download Windows 7 from Microsoft.

I guess people just prefer BitTorrent downloads to HTTP downloads, and whoever had this smart idea capitalized on that.

Microsoft should perhaps do something about that and put out a legitimate BitTorrent copy. I guess the problem is updates, once it’s out there and people are seeding it’s out there for good and it’s not necessarily the latest build.

A Trojan buried within counterfeit copies of Windows 7 RC was used to build a botnet of compromised PCs. The tactic emerged after researchers from security firm Damballa shut down the command and control servers used to control the system, reckoned to have drafted thousands of Windows PCs into its compromised ranks. Damballa reckons malicious hackers distributed the malware by hiding it within counterfeit copies of pre-release versions of Microsoft’s next operating system on offer through BitTorrent. Damballa reckons that the pirated package was released around 24 April. By 10 May, when security researchers effectively curtailed the operation, as many as 552 new users were becoming infected per hour as a result of the attack.

It seems like the infection rate for this trojan has been pretty sharp, with 552 new users per hour that’s over 13,000 new infections per day adding up to almost 100,000 in one week.

The Command and Control center for the botnet has been taken offline though on May 10th so it’s rendered pretty useless since then.

I guess they should have built a more robust control mechanism like Conficker.

“Since the pirated package was released on 24 April, my best guess is that this botnet probably had at least 27,000 successful installs prior to our takedown of its CnC [command and control] on 10 May,” Tripp Cox, vice president of engineering at Damballa, told eWeek. Since Damballa’s intervention, users installing the pirated version of Windows 7 RC are outside the control of the botmaster hackers running the attack. However, users who were compromised prior to 10 May remain within the ranks of the zombie drones controlled by the unidentified hackers. Trend Micro identifies the Trojan featured in the attack as DROPPER-SPX. Burying backdoors in counterfeit code is a popular tactic among crackers witnessed many times over the years with pirated copies of Microsoft applications and, more recently, with pirated versions of iWork ’09 for Apple Mac machines. In the case of the latest attack, prospective Windows 7 RC users get infected before they have a chance to install anti-virus tools, many of which are yet to support Windows 7 anyway.

You can check out the details on Trend Micro blog here.

If you want to get hold of Windows 7 you can just go directly to the Microsoft site here.

Source: The Register