Botnet Strikes 2,500 Organizations Worldwide

Kneber, a ZeuS Botnet Variant, Said to Infect 75,000 Systems
Botnet Strikes 2,500 Organizations Worldwide
The highly publicized attack against Google and 30 other businesses late last year represent a small fraction of assaults on corporate and governmental systems, according to a new analysis published Thursday.

A newly discovered infestation dubbed Kneber, a variant of the ZeuS botnet, has affected 75,000 systems in 2,500 organizations worldwide, according to NetWitness, a provider of persistent threat detection and network forensics products. NetWitness said an investigation it began last month by NetWitness revealed an extensive compromise of commercial and government systems that included that 68,000 corporate login credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files and dossier-level data sets on individuals including complete dumps of entire identities from victim machines.

NetWtiness said it labeled the new botnet Kneber after the username linking the infected systems worldwide. Kneber, according to NetWitness, gathers login credentials to online financial systems, social networking sites and e-mail systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information and replicate personal, online and financial identities.

Amit Yoran, NetWitness chief executive officer, said the Operation Aurora attacks on Google and others pales in comparison to a single botnet, which sheds light on advanced threats from adversaries. "These large-scale compromises of enterprise networks have reached epidemic levels," Yoran, the onetime director of the Department of Homeland Security's National Cybersecurity Division, said in a statement. "Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks."

Alex Cox, the NetWitness principal analyst who the company said uncovered Kneber, said many security analyst classify ZeuS soley as a Trojan that steals banking information, a viewpoint he characterizes as naïve because other types of data also were exposed.

Cox said more than half the machines infected with Knever also were tainted with the peer-to-peer Waledac botnet. He said the coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.