Kneber botnet steals log-ins to 75,000 companies

Security experts have discovered a dangerous botnet that targets corporate networks and users' access credentials.

The "Kneber botnet" links 75,000...

Security experts have discovered a dangerous botnet that targets corporate networks and users' access credentials.

The "Kneber botnet" links 75,000 systems in 2,500 organisations around the world, said researchers at NetWitness, a specialist in real-time network forensics and automated threat intelligence solutions.

Kneber is related to the ZeuS botnet, NetWitness said. Discovered in January, it gathers login credentials to online financial systems, social networking sites and e-mail systems from infected computers.

It reports the information to the botnet owners and their clients who then use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities.

NetWitness investigations found this information included:

• 68,000 corporate log-in credentials

• Access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials

• 2,000 SSL certificate files

• Dossier-level data sets on individuals, including complete dumps of entire identities from victims' machines.

These details were from both commercial and government systems, it said.

"Many security analysts classify ZeuS solely as a Trojan that steals banking information," said Alex Cox, the NetWitness analyst who uncovered the Kneber botnet. "That viewpoint is naive."

More than half the machines infected with Kneber were also infected with Waledac, a peer-to-peer botnet. "The coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground," Cox said.

"When we began to detect the correlation between the methodology used by the Kneber crew to attack target machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS and consider more diverse mission objectives."

NetWitness CEO Amit Yoran said Operation Aurora, (the recent attack on Google and 30 other US IT firms) had shed light on advanced threats from sponsored adversaries, but relatively few companies were affected.

"The number of companies and organisations compromised [by Aurora] pales in comparison to this single botnet," he said.

"Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks."

Yoran said the large-scale compromises of enterprise networks had reached epidemic levels. "Conventional malware protection and signature based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats," he said.

Organisations that drive their information security programs according to compliance regulation and have not kept up with fast changes in the threat environment would not see this Trojan until the damage was done, he said.

Read more on Hackers and cybercrime prevention