Giant botnet infiltrates 2,500 organisations
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
A network of 74,000 compromised PCs found stealing passwords, data and entire identities, according to a US security company
A botnet consisting of over 74,000 malware-infected PCs has accumulated a gigantic cache of stolen data, taken from over 2,500 businesses and government organisations across the world, a US security vendor claimed yesterday.
NetWitness found that the botnet, which it has dubbed ‘Kneber’, has over the past 18 months accumulated “68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines”, according to a company statement.
Interesting Links
Whitepaper from NetWitness describing the Kneber botnet - .pdf (requires registration)
A Wall Street Journal report said that the affected companies included Paramount Pictures and Juniper Networks, as well as 10 US government agencies.
NetWitness said that the botnet is based on a notorious – and freely available – piece of malware called ZeuS. "Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information, but that viewpoint is naïve," said Alex Cox, a principal analyst at the company. Based on NetWitness’ analysis, he said, it is clear that the ZeuS has a more diverse set of objectives, and targets many more kinds of information than previously thought.
The company said that there is some evidence linking the botnet to criminal gangs in Eastern Europe, and that computers based in China may have been involved.
This is a variant of the well known Zeus bot otherwise known as Zbot. Once executed on the target machine –which becomes an infected bot- it downloads a configuration file from the C&C server (Command & Control server) which instructs the bot to capture desired data.
It creates a hidden folder on the infected machine and it drops a modified copy of itself to avoid security scanner detection.
The bot periodically uploads the captured data to the server and schedules an update of the configuration files permitting the criminal hacker to change the instructions of the bot.
Additionally it disables the firewall on the target machine.
Rossano Ferraris, CA ISBU Research Team
Report this comment »