News

'Kneber' Botnet Hits 2,500 Orgs Worldwide

• By Ben Bain
• 02/19/2010

Approximately 75,000 computer systems at roughly 2,500 organizations worldwide -- including 10 U.S. government agencies -- have been caught in a massive global scheme to gather log-in credentials and steal data, according to the computer security firm NetWitness.

NetWitness discovered the "Kneber botnet," named for a user name that links the infected systems, in January during a deployment of the firm's monitoring solutions. The data discovered appears to be from one month of the botnet's operations, the firm said. Nearly 70,000 log-in credentials to e-mail systems, online banking sites and social networking sites, and 2,000 Secure Sockets Layer certificate files were found.

The discovery involved a server based in Germany, but there were 19 other command and control servers that could control the computers, said Eddie Schwartz, chief security officer for NetWitness, in a telephone interview. Other servers were based in Ukraine, Panama, China and the United States, he said. 

NetWitness's findings were first reported by The Wall Street Journal.

Schwartz said the organizations affected were predominately commercial, but he confirmed that 10 government agencies were also among those compromised by end user activities. Schwartz said the agencies were both military and civilian, but they aren't national security-related based on the data the firm has seen. He declined to name any of the agencies.

According to NetWitness, the five countries with the most compromised machines are Egypt, Mexico, Saudi Arabia, Turkey and the United States. However, the botnet spans 196 countries.

"This compromise, the scope of global penetration and the sheer magnitude of the collected data illustrates the inadequacy of signature-based network monitoring methods used by most commercial and public-sector organizations today," a NetWitness report on Wednesday stated.

The format and structure of the logged data indicate that a ZeuS Trojan botnet is being used for the exploits, the firm said. Perpetrators can use ZeuS to target specific information by capturing data from Web forms, identifying traffic before it is encrypted and picking out cookies, among other means, according to NetWitness.

Schwartz said machines can get infected with the botnet through classic techniques such as opening files with embedded malware or through Web sites injected with exploit kits. Meanwhile, NetWitness believes the botnet is ongoing, with some components of it remaining in full operation when last checked a few days ago, he added.

NetWitness has been in touch with the affected organizations and federal authorities regarding the botnet's discovery, Schwartz said. "Organizations do need to realize that there is a high level of what the military calls situational awareness [that] they need to apply to their network," he said.

"Just relying on the current countermeasures is just not cutting it, and certainly the government is aware of this. I mean the government, at least a lot of agencies, really are leading the way on a lot of this stuff," he added. "Maybe that's a good indicator too of why the government wasn't hit more heavily, who knows."

The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) doesn't comment on actual or alleged incidents. However, a DHS spokesperson said ZeuS is among US-CERT's top five reported malware infections.

According to US-CERT, the Kneber botnet is an adaptation of the ZeuS crimeware kit and the organization has received limited reporting of possible infections, the spokesperson said. US-CERT is analyzing malicious code, tactics and techniques used by the botnet and the organization has shared its technical understanding of this attack with the federal and private sectors, the official said.

Meanwhile, US-CERT released an updated Situational Awareness Report on ZeuS activity on Feb. 3. The release of that report and heightened awareness contributed to a minimization of infection rates at government agencies, the spokesperson said.