The attacks by the so-called Kneber or BTN1 botnet infected around 75,000 systems during a period of a year-and-a-half, and were discovered by researchers at NetWitness, which today issued a report on the botnet. NetWitness found 75 gigabytes worth of stolen data on Jan. 26, which it ultimately traced to the botnet. Among the victims of this botnet, according to a published report in the The Wall Street Journal, are Merck, Cardinal Health, Paramount Pictures, and Juniper Networks.
But unlike the recent attacks on Google, Adobe, and nearly 30 other companies, the Zeus attacks by Kneber were not targeting the victim organizations, nor did they attempt to camp out and infiltrate the organizations for espionage or intellectual property theft purposes. Instead, the victim organizations in the Zeus attack were merely swept up in a wider series of attacks by the Eastern European criminal gang or gangs behind the botnet. This was more of a "smash, grab, and go" type of attack where the criminals infected the machines and siphoned as many credentials as they could without sticking around for too long, according to Alex Cox, the senior consultant and member of the research department at NetWitness who discovered the attacks.
"The Google attacks were advanced, persistent threat and state-sponsored type attacks where you stay inside for as long as you can to gather intelligence and a business advantage. I would equate this [round of attacks] as more of a mass malware, smash, and grab attack where they infected as many machines as they can, get credentials, get more information, help further propagate the botnet, and then move on," Cox says.
Cox says the attackers likely were just spreading their net to see what they could catch. "There was no focus on industries or a geographic area," he says. The botnet, which NetWitness estimates to be at 74,126 bots, spans machines in 196 countries, including Egypt, where the most bots reside (19 percent), as well as Mexico (15 percent), Saudi Arabia (13 percent), Turkey (12 percent), and the U.S. (11 percent).
Kneber -- named after the original domain used to set up the botnet, [email protected] -- uses Zeus to steal login credentials to online financial sites, social networking sites, and email systems. Among the victims were academic institutions, energy companies, financial institutions, Internet service providers, and 10 government agencies, according to NetWitness' report. The attackers also grabbed 2,000 SSL certificates.
The victim organizations had anywhere from one bot to 200 infected machines, according to Cox.
The Zeus Trojan was one of the major payloads of botnet outbreaks in corporate networks last year, according to newly released data from Damballa. The most prevalent botnet in those networks was a little-known botnet called ZeusBotnet that accounted for 20 percent of all bot infections in enterprises. And the Zeus Trojan was the second-most common piece of malware spread by all botnets attacking enterprises last year, second to the Koobface worm.
Gunter Ollmann, vice president of research for Damballa, says his firm traces the so-called Kneber botnet operators behind these attacks back to September 2008, when they were deploying the Virut malware family for the same basic purpose as Zeus.
According to Damballa, in the third quarter of 2009 this botnet had grabbed 57,000 new bot victims in North America, 30,000 new victims in the fourth quarter of '09, and 10,100 new victims in the first quarter of this year, from North America. "[These numbers] reflect that the criminal operators behind this particular botnet don't care who their victims are. They have an automated delivery vehicle and automatically harvest credentials -- the fact that some systems are corporate [ones] doesn't matter beyond the fact that they are 'low yield' victims from their perspective," Ollmann says.
NetWitness found that Kneber also has some close ties to the Waledac botnet, a peer-to-peer botnet that is best known as the next-generation Storm botnet, and used mainly for spamming purposes. "More than half of the bots involved were also infected with Waledac," Cox says. "We found it pulls down a Waledac executable ... this is an indication that there's work being done together between the two [botnet] gangs, or they are going after the same gang."
Or given that Kneber is a traditional command-and-control botnet and Waledac is a peer-to-peer one, the dual infection could be for redundancy purposes, he says. "If one gets disrupted, the other can be used to recover the distributed system," he says. "But I have no evidence that this is going on."
Cox says it's tough to determine how the bots initially were infected, but that he has seen evidence of spear phishing attacks and exploit-kit use that indicates drive-by downloads via Websites -- typical modes of attack for Zeus.
The attackers were involved with the botnet for at least a year, but NetWitness has only studied log data from mid-December 2009 through mid-January of this year, he says. "The command and control server for this Zeus botnet is still active ... definitely an indication that the [attacks] are still ongoing," Cox says.
The FBI is currently investigating the botnet-borne attack. Meanwhile, antivirus vendors McAfee and Symantec dismissed the attacks as nothing new and just another iteration of the popular Zeus Trojan.
In a related development, researchers at Symantec Hosted Services today said they have uncovered a series of targeted attacks in the education and public sectors that used the so-called Bredolab malware.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.