14 DAY TRIAL // Researchers from a security company have uncovered that a variant of the Zeus trojan has actively been used to siphon sensitive information from 2,500 organizations during the past two years. Dubbed the "Kneber botnet," the network of compromised computers spanning almost 200 countries is being controlled from servers in Germany and The Netherlands.
While investigating a malware infection on a customer's network back in January, workers from NetWitness, a real-time network forensics company based in Herndon, Virginia, uncovered a 75 GB cache of stolen data on a remote server. A subsequent analysis revealed that the dump contained login credentials to email systems, online banking sites or social networks, as well as dossier-level data sets on individuals and thousands of SSL certificates.
The company's analysts concluded that confidential information was siphoned via a Zeus variant from 74,126 computers belonging to 2,411 organizations in 196 countries. However, since the data was only four weeks old and the operation dates back to 2008, the total number of victims is likely much larger.
According to NetWitness, the largest number of affected organizations is from Egypt, Mexico, Saudi Arabia, Turkey or the United States, and they include government agencies and Fortune 500 companies. The company also found additional malware, such as the Waledac worm, on half of the infected machines, suggesting the gang responsible for this attack took safety measures in case their Zeus variant was discovered.
"Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information, but that viewpoint is naive. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS and consider more diverse mission objectives," Alex Cox, principal analyst at NetWitness, commented, according to a press release.
This is the third mass-cyber-spying incident to be disclosed after Operation Aurora, an attack against Google, Adobe and thirty other U.S. companies, was unmasked earlier this year. At the end of January, it was reported that several oil giants fell victim to a sophisticated malware attack. Then, two weeks ago, it was announced that government computers from various agencies were targeted via spear phishing.
"While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet. These large-scale compromises of enterprise networks have reached epidemic levels. […] Conventional malware protection and signature based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats," Amit Yoran, CEO of NetWitness and former director of the National Cyber Security Division, concluded.