Global Botnet Attack Hits Enterprise, Government PCs
Operating undetected for about a year, the criminals behind the cyberattack had control of more than 74,000 computers.
Over 74,000 personal, corporate and government computers at over 2,500 organizations around the world have been found to be zombies in the newly discovered "Kneber botnet."
Late last month, NetWitness, a computer security company headed by former DHS cybersecurity director Amit Yoran, discovered over 75 GB of stolen data as part of its routine enterprise analytics activities. The company says that the data turned out to be the product of a botnet of over 74,000 computers, that the malware used to create the botnet was recognized by less than 10% of antivirus software, and that the botnet's network communication was not recognized by existing intrusion detection systems.
More Services Insights
- Boost IT Visibility & Value with Service Catalog
- Enabling the delivery of high quality financial products and services
The cache of data represents a month of botnet data collection and the botnet is estimated to have been operating for about a year. The stolen data includes about 68,000 corporate logins to e-mail accounts, online banking accounts, Facebook, Hotmail, Yahoo accounts and other social networking sites. It also includes almost 2,000 SSL certificate files, which are used for activities like online banking or connecting to a VPN.
Merck, Cardinal Health, Paramount Pictures and Juniper Networks are among the companies believed to have been affected, according to a report in The Wall Street Journal.
Yoran suggests that this botnet makes Operation Aurora, the cyber attack directed at Google and 33 other companies last December, look insignificant. "While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet," he said in a statement. "These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew, quietly and diligently target and compromise thousands of government and commercial organizations across the globe."
NetWitness says that the Kneber botnet was assembled using a variant of the Zeus Trojan, malware that's widely known for stealing banking credentials. But the compromised PCs -- all running Windows, mainly XP or Vista -- also show signs of a secondary infection with Waledac, a peer-to-peer spamming botnet. While this is not unusual, NetWitness believes that the data it has analyzed indicates that the two criminal gangs behind these two malware families are cooperating.
The company says that it cannot be certain as to how or by whom this stolen data will be used. Much of the computer and domain infrastructure used to spread the botnet resides in China, though those operating the botnet are believed to be in Eastern Europe.
For Further Reading:
"Integrity Check: 5 Steps To Data-Centric Cybersecurity" will help keep your organization's data safe. Download the report here (registration required).