Kneber Botnet Preys On Social Network Data

Researchers at NetWitness have uncovered a 75,000-strong botnet of systems infected with the notorious Zeus Trojan. But perhaps even more notable than its size is the data that it is targeting.

The botnet, which has touched 2,500 organisations throughout the world and been dubbed “Kneber” due to a username linking the infected systems, seeks to collect login credentials to online financial systems, social networking sites and email systems as well as other data that can be used by cyber-crooks.

Analysing the botnet over a four-week period, NetWitness uncovered the theft of 68,000 credentials of various sorts. Leading this list of stolen data were user credentials for Facebook, Yahoo and hi5. According to security researchers, social networks have increasingly become a jumping off point for attackers looking to conduct survelliance on their targets. McAfee, for example, told eWEEK in January that social networks played a role in the Aurora attack that impacted Google and others last year.

Such information has its purposes. For example, answers to questions such as “what is your mother’s maiden name” or “what street did you grow up on” can be used to remotely reset user passwords and access e-banking and other accounts, NetWitness noted in a paper on the botnet.

“While targeting financial sites ultimately may result in financial gain for the miscreant, targeting logon credentials to social networks and e-mail gives them the ‘keys to the castle’,” according to the paper. “This personal information is pivotal for stealing identities and crafting very well targeted and convincing criminal and espionage campaigns.”

“Many security analysts tend to classify Zeus solely as a Trojan that steals banking information, but that viewpoint is naïve,” said Alex Cox, the principal analyst at NetWitness, in a statement. “When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as Zeus and consider more diverse mission objectives.”

The Zeus Trojan is widely available in the cyber-underground, and is one of the more common data-stealing pieces of malware used in financial attacks. Though NetWitness declined to name the organisations affected by Kneber, Egypt(19 percent), Mexico(15 percent), Saudi Arabia(13 percent), Turkey(12 percent) and the United States(11 percent) had the largest share of compromised systems. According to a report by the Wall Street Journal, the US companies impacted by the botnet include Merck & Co., Paramount Pictures and Juniper Networks.

Also uncovered by NetWitness were 2,000 SSL certificate files and dossier-level data sets on individuals, including complete dumps of entire identities from victim machines. According to the research, more than half the machines infected with Kneber were also infected with Waledac, suggesting a level of cross-crew collaboration in the cyber-underworld.

“It is 100 percent certain that many organisations have no idea they are victimised by these types of problems because they’re just not tooled to see them on their networks,” Cox said. “The Kneber botnet is just one category of advanced threat that organisations have been facing the past few years that they are still largely ignorant or blind to today.”