Researchers at NetWitness uncovered a 75,000-strong botnet that infected companies around the world. Among its targets - login credentials for Facebook, Yahoo and other sites. According to security pros, the botnet is part of a growing trend to use social networking sites as a stepping stone to steal valuable financial data.
Researchers at NetWitness have uncovered a 75,000-strong botnet of
systems infected with the notorious Zeus Trojan. But perhaps even more
notable than its size is the data that it is targeting.The botnet, which has touched 2,500 organizations throughout the world
and been dubbed "Kneber" due to a username linking the infected
systems, seeks to collect login credentials to online financial
systems, social networking sites and email systems as well as other
data that can be used by cyber-crooks.
Analyzing the botnet over a four-week period,
NetWitness uncovered the theft of 68,000 credentials of various sorts.
Leading this list of stolen data were user credentials for
Facebook, Yahoo and hi5. According to security researchers, social networks have increasingly become
a jumping off point for attackers looking to conduct survelliance on
their targets. McAfee, for example, told eWEEK in January that social networks
played a role in theAuroraattack that impacted Google and others last year.
Such information has its purposes. For example, answers to questions
such as "what is your mother's maiden name" or "what street did you
grow up on" can be used to remotely reset user passwords and access
e-banking and other accounts, NetWitness noted in a paper on the botnet."While targeting financial sites ultimately may result in financial
gain for the miscreant, targeting logon credentials to social networks
and e-mail gives them the 'keys to the castle'," according to the paper.
"This personal information is pivotal for stealing identities and
crafting very well targeted and convincing criminal and espionage
"Many security analysts tend to classify Zeus solely as a Trojan that steals banking information,
but that viewpoint is na???ve," said Alex Cox, the principal analyst at
NetWitness, in a statement. "When we began to detect the correlation
among both the methodology used by the Kneber crew to attack victim
machines and the wide variety of data sets harvested, it became clear
that security teams must rethink their entire perspective on advanced
threats such as Zeus and consider more diverse mission objectives."The Zeus Trojan
is widely available in the cyber-underground, and is one of the more
common data-stealing pieces of malware used in financial attacks.
Though NetWitness declined to name the organizations affected by Kneber,Egypt(19 percent), Mexico(15 percent), Saudi Arabia(13 percent), Turkey(12 percent) and the United States(11 percent) had the largest share of compromised systems. According to a report by the Wall Street Journal, the U.S.companies impacted by the botnet include Merck & Co., Paramount Pictures and Juniper Networks.Also uncovered by NetWitness were 2,000 SSLcertificate
files and dossier-level data sets on individuals, including complete
dumps of entire identities from victim machines. According to the
research, more than half the machines infected with Kneber were also
infected with Waledac, suggesting a level of cross-crew collaboration
in the cyber-underworld."It is 100
percent certain that many organizations have no idea they are
victimized by these types of problems because they're just not tooled
to see them on their networks," Cox said. "The Kneber botnet is just
one category of advanced threat that organizations have been facing the
past few years that they are still largely ignorant or blind to today."