Kneber Botnet Highlights Trend of Social Networking Data Being Used by Hackers
Researchers at NetWitness have uncovered a 75,000-strong botnet of systems infected with the notorious Zeus Trojan. But perhaps even more notable than its size is the data that it is targeting.
The botnet, which has touched 2,500 organizations throughout the world and been dubbed "Kneber" due to a username linking the infected systems, seeks to collect login credentials to online financial systems, social networking sites and email systems as well as other data that can be used by cyber-crooks.
Analyzing the botnet over a four-week period,
NetWitness uncovered the theft of 68,000 credentials of various sorts.
Leading this list of stolen data were user credentials for
Facebook, Yahoo and hi5. According to security researchers, social networks have increasingly become
a jumping off point for attackers looking to conduct survelliance on
their targets. McAfee, for example, told eWEEK in January that social networks
played a role in the
Such information has its purposes. For example, answers to questions such as "what is your mother's maiden name" or "what street did you grow up on" can be used to remotely reset user passwords and access e-banking and other accounts, NetWitness noted in a paper on the botnet.
"While targeting financial sites ultimately may result in financial
gain for the miscreant, targeting logon credentials to social networks
and e-mail gives them the 'keys to the castle'," according to the paper.
"This personal information is pivotal for stealing identities and
crafting very well targeted and convincing criminal and espionage
"Many security analysts tend to classify Zeus solely as a Trojan that steals banking information, but that viewpoint is na???ve," said Alex Cox, the principal analyst at NetWitness, in a statement. "When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as Zeus and consider more diverse mission objectives."
The Zeus Trojan
is widely available in the cyber-underground, and is one of the more
common data-stealing pieces of malware used in financial attacks.
Though NetWitness declined to name the organizations affected by Kneber,
Also uncovered by NetWitness were 2,000
"It is 100
percent certain that many organizations have no idea they are
victimized by these types of problems because they're just not tooled
to see them on their networks," Cox said. "The Kneber botnet is just
one category of advanced threat that organizations have been facing the
past few years that they are still largely ignorant or blind to today."