Discovery of a Zeus botnet that has cached the data of 75,000 systems that could affect 2,500 organisations described as not uncommon

News by Dan Raywood

A highly organised group of hackers are responsible for the reported discovery of a cache of stolen data harvested by the Zeus botnet.

A highly organised group of hackers are responsible for the reported discovery of a cache of stolen data harvested by the Zeus botnet.

Reports emerged from vendor NetWitness yesterday that its analysts had discovered a dangerous new Zeus botnet affecting 75,000 systems in 2,500 organisations around the world.

Calling it the ‘Kneber botnet', after the username that linked the infected systems worldwide, it said that it gathers login credentials from online financial systems, social networking sites and email systems from infested computers and reports the information to miscreants.

NetWitness said that it first discovered Kneber in January during a routine deployment of the NetWitness advanced monitoring solutions. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials.

There were also 2,000 SSL certificate files and dossier-level data sets on individuals including complete dumps of entire identities from victim machines.

Alex Cox, principal analyst at NetWitness, who was responsible for uncovering Kneber, said that to classify Zeus as a Trojan that steals banking information is simply naïve.

He said: “When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as Zeus and consider more diverse mission objectives.

“It is 100 per cent certain that many organisations have no idea they are victimised by these types of problems because they are just not tooled to see them on their networks. The Kneber botnet is just one category of advanced threat that organisations have been facing the past few years that they are still largely ignorant or blind to today.”

Commenting, William Beer, director of OneSecurity at PricewaterhouseCoopers, said: “This is the latest in a string of similar attacks carried out by a highly organised group of hackers, showing the rising level of sophistication in cyber crime. Companies need to consider conducting a risk assessment to establish the size, number, nature and source of the attacks, gauge the vulnerabilities and assess the resulting impact on their business. It is a boardroom issue.”

Mary Landesman, senior security researcher at ScanSafe, commented that while labelled as Kneber it is still Zeus that has been active on the web for over a year.

Landesman said: “Zeus malware is known for browser traffic sniffing, intercepting post data and keystrokes associated with the active browser session, as well as clipboard data passed to the browser. Zeus malware also typically disables firewalls and other security software on infected systems, as well as blocking access to security vendor websites and services.

“In 2009, malware associated with Zeus accounted for one per cent of all ScanSafe web malware blocks for the year.”

Symantec's Kevin Haley commented that as Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strains, such as Kneber, of the overall Zeus botnet.

He said: “Though it is true that this Kneber strain of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, Symantec customers with up-to-date security software should already be protected from this threat.”

Security blogger Brian Krebs echoed Haley's thoughts, claiming that the botnet is neither unusual nor new, as over the past few years the number of distinct Zeus botnets has hovered in the hundreds.

He said: “True, not every distinct Zeus botnet has 75,000 infected machines in its thrall, but that is actually not all that rare, and some have far more systems under their control. Last summer, I wrote (when Krebs was at the Washington Post) about a Zeus botnet of roughly 100,000 infected systems whose overlords (or enemies) exercised the ‘kill operating system' feature built into the botnet code, instructing all of the infected computers to render themselves unbootable and for all purposes unusable by either the bad guys or the rightful owners of the machines.

“Take a peek inside any monster piles of purloined data these botnets turn in each day and chances are you will find similar victims as detailed in the Kneber write-up: infected computers at dozens of government, military and educational institutions, as well as many of the world's top corporations.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews