Dangerous new botnet is attacking 75,000 systems

18 Feb 2010

A dangerous new ZeuS botnet is attacking 75,000 systems in 2,500 organisations around the world. Dubbed the ‘Kneber botnet’, the virus gathers login details for online banks, social networks and web mail.

According to threat detection player NetWitness, the botnet gathers the login credentials to these online sites and reports the information to cyber thieves who can break into accounts, steal corporate and government information and replicate personal, online and financial identities.

NetWitness says it first discovered the Kneber botnet in January during a routine data patrol.

A look into the Kneber botnet

Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social-networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals, including complete dumps of entire identities from victim machines.

“While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organisations pales in comparison to this single botnet,” said Amit Yoran, CEO of NetWitness and former director of the US National Cyber Security Division.

“These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew, quietly and diligently target and compromise thousands of government and commercial organisations across the globe.

“Conventional malware protection and signature-based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats.

“Organisations which focus on compliance as the objective of their information security programs and have not kept pace with the rapid advances of the threat environment will not see this Trojan until the damage already has occurred. Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks.”

Purpose of botnet

Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information, but that viewpoint is naive, said Alex Cox, principal analyst at NetWitness responsible for uncovering the Kneber bot.

“When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS and consider more diverse mission objectives.”

More than half the machines infected with Kneber also were infected with Waledac, a peer-to-peer botnet. The co-existence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground.

“It is 100pc certain that many organisations have no idea they are victimised by these types of problems because they’re just not tooled to see them on their networks,” said Cox.

“The Kneber botnet is just one category of advanced threat that organisations have been facing the past few years that they are still largely ignorant or blind to today,” he said.

By John Kennedy

Photo: The Kneber botnet has attacked thousands of organisations around the globe, threat detection player NetWitness reported

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years