Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:52 PM
Connect Directly

Thousands Of Organizations Worldwide Hit By Widespread Malware Attack

Botnet bearing the Zeus Trojan infected 75,000 systems worldwide in 2,500 enterprises, government agencies

Yet another sign that the Zeus Trojan isn't just for stealing consumer online banking credentials anymore: Some 2,500 enterprises and government agencies worldwide have been infiltrated by a botnet spreading the pervasive piece of malware, a security firm revealed today.

The attacks by the so-called Kneber or BTN1 botnet infected around 75,000 systems during a period of a year-and-a-half, and were discovered by researchers at NetWitness, which today issued a report on the botnet. NetWitness found 75 gigabytes worth of stolen data on Jan. 26, which it ultimately traced to the botnet. Among the victims of this botnet, according to a published report in the The Wall Street Journal, are Merck, Cardinal Health, Paramount Pictures, and Juniper Networks.

But unlike the recent attacks on Google, Adobe, and nearly 30 other companies, the Zeus attacks by Kneber were not targeting the victim organizations, nor did they attempt to camp out and infiltrate the organizations for espionage or intellectual property theft purposes. Instead, the victim organizations in the Zeus attack were merely swept up in a wider series of attacks by the Eastern European criminal gang or gangs behind the botnet. This was more of a "smash, grab, and go" type of attack where the criminals infected the machines and siphoned as many credentials as they could without sticking around for too long, according to Alex Cox, the senior consultant and member of the research department at NetWitness who discovered the attacks.

"The Google attacks were advanced, persistent threat and state-sponsored type attacks where you stay inside for as long as you can to gather intelligence and a business advantage. I would equate this [round of attacks] as more of a mass malware, smash, and grab attack where they infected as many machines as they can, get credentials, get more information, help further propagate the botnet, and then move on," Cox says.

Cox says the attackers likely were just spreading their net to see what they could catch. "There was no focus on industries or a geographic area," he says. The botnet, which NetWitness estimates to be at 74,126 bots, spans machines in 196 countries, including Egypt, where the most bots reside (19 percent), as well as Mexico (15 percent), Saudi Arabia (13 percent), Turkey (12 percent), and the U.S. (11 percent).

Kneber -- named after the original domain used to set up the botnet, [email protected] -- uses Zeus to steal login credentials to online financial sites, social networking sites, and email systems. Among the victims were academic institutions, energy companies, financial institutions, Internet service providers, and 10 government agencies, according to NetWitness' report. The attackers also grabbed 2,000 SSL certificates.

The victim organizations had anywhere from one bot to 200 infected machines, according to Cox.

The Zeus Trojan was one of the major payloads of botnet outbreaks in corporate networks last year, according to newly released data from Damballa. The most prevalent botnet in those networks was a little-known botnet called ZeusBotnet that accounted for 20 percent of all bot infections in enterprises. And the Zeus Trojan was the second-most common piece of malware spread by all botnets attacking enterprises last year, second to the Koobface worm.

Gunter Ollmann, vice president of research for Damballa, says his firm traces the so-called Kneber botnet operators behind these attacks back to September 2008, when they were deploying the Virut malware family for the same basic purpose as Zeus.

According to Damballa, in the third quarter of 2009 this botnet had grabbed 57,000 new bot victims in North America, 30,000 new victims in the fourth quarter of '09, and 10,100 new victims in the first quarter of this year, from North America. "[These numbers] reflect that the criminal operators behind this particular botnet don't care who their victims are. They have an automated delivery vehicle and automatically harvest credentials -- the fact that some systems are corporate [ones] doesn't matter beyond the fact that they are 'low yield' victims from their perspective," Ollmann says.

NetWitness found that Kneber also has some close ties to the Waledac botnet, a peer-to-peer botnet that is best known as the next-generation Storm botnet, and used mainly for spamming purposes. "More than half of the bots involved were also infected with Waledac," Cox says. "We found it pulls down a Waledac executable ... this is an indication that there's work being done together between the two [botnet] gangs, or they are going after the same gang."

Or given that Kneber is a traditional command-and-control botnet and Waledac is a peer-to-peer one, the dual infection could be for redundancy purposes, he says. "If one gets disrupted, the other can be used to recover the distributed system," he says. "But I have no evidence that this is going on."

Cox says it's tough to determine how the bots initially were infected, but that he has seen evidence of spear phishing attacks and exploit-kit use that indicates drive-by downloads via Websites -- typical modes of attack for Zeus.

The attackers were involved with the botnet for at least a year, but NetWitness has only studied log data from mid-December 2009 through mid-January of this year, he says. "The command and control server for this Zeus botnet is still active ... definitely an indication that the [attacks] are still ongoing," Cox says.

The FBI is currently investigating the botnet-borne attack. Meanwhile, antivirus vendors McAfee and Symantec dismissed the attacks as nothing new and just another iteration of the popular Zeus Trojan.

In a related development, researchers at Symantec Hosted Services today said they have uncovered a series of targeted attacks in the education and public sectors that used the so-called Bredolab malware.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.