Herndon (ip-192.com): Security researchers at Herndon, Va.-based NetWitness Corp. have discovered massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide. The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information to cyber criminals who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities.
The Wall Street Journal (WSJ) identified pharmaceutical company Merck & Co., Cardinal Health Inc., Paramount Pictures and Juniper Networks Inc. as some of U.S. firms that had been infiltrated. Systems belonging to 10 government agencies were also penetrated in the attacks.
According to the WSJ, the attacks started in late 1998 and appeared to originate in Europe and China. Computers in as many as 196 countries have been affected, with many systems compromised after users clicked on phishing e-mails with links to sites containing malicious code. Most of the compromised systems appeared to be in Egypt, Mexico, Saudi Arabia, Turkey and the U.S, so the WSJ.
NetWitness first discovered the Kneber botnet in January. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines.
According to the company, the botnet is a variant of the ZeuS botnet, which is known primarily for stealing banking credentials. More than half of the infected systems in the Kneber botnet also contained the competing Waledac Trojan, probably because those behind the attacks wanted to build some redundancy into their attacks.
"These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements like the Kneber crew quietly and diligently target and compromise thousands of government and commercial organizations across the globe. Conventional malware protection and signature based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats,” said Amit Yoran, CEO of NetWitness and former Director of the National Cyber Security Division. “Organizations … will not see this Trojan until the damage already has occurred. Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks."
"Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information," stated Alex Cox, the Principal Analyst at NetWitness responsible for uncovering the Kneber-bot, "but that viewpoint is naive. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS and consider more diverse mission objectives."
Over half the machines infected with Kneber also were infected with Waledac, a peer to peer botnet. The coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground.
[...] Google, American enterprises, and government agencies. The attacks (ip-192.com reported here and here) may have begun as early as April 2009, the New York Times [...]