HEAT Security Blog

Kneber BotNet / Zeus Trojan Strikes!

Makes Us Wonder if Web 2.0 / Social Apps are a Boon or a Bane.

Today, the Wall Street Journal picked upon a report by NetWitness about their discovery of a 75+ GB cache of stolen data, including 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, almost 2,000 SSL certificate files and a large amount of highly detailed “dossier-level” identity information. Also included were complete dumps of entire identities from victim machines. Disturbingly, this cache seems to represent only one month’s worth of stolen data.

Known as the “Kneber BotNet” after the username linking the infected systems worldwide, it seems to be a close relative of the infamous Zeus Trojan. It seems to have infected about 75,000 computers at over 2,400 companies and government agencies in 196 countries in the world, including 374 US-based entities, including Local, State and Federal Government Agencies; Financial Institutions; Energy companies; ISPs; Educational Institutions; and Technology companies. The report suggests that Windows XP and Vista were the most commonly exploited.

It’s still early days on this (or at least this variant), but I think there are already some important lessons to be learned from this revelation. Nowadays, malware is …

  • Targeted. We talk a lot about the increasingly targeted attacks being seen out there. And we’re not just doing that to scare folks – it’s real. Looking at the list of the institutions impacted, it’s apparent that the banking sector was of particular interest; in fact, the report points out that this “was almost exclusively designed to target credentials for banking and/or digital currency sites.” They also point out that “this miscreant group [targeted] the government sector specifically.”
  • Sophisticated. We also talk a lot about how the attackers have evolved from script kiddiesto sophisticated and financially-motivated cybercriminals. If you need any further proof of that, this is it.
    • It was designed to inject form elements into login pages and steal common “security questions” (like “what’s your mother’s maiden name?).
    • It seems to share command and control (C2) traffic with the Waledac botnet; this could mean that even if the C2 mechanisms for one is taken out, the other might be able to resurrect it. Skynet, anyone?
  • Multi-Vector. There seem to be several ways this attack was propagated, including via social networks, through spam email and even very convincing phishing emails, and by using social engineering hooks. [For more on the very elaborate spoofing effort aimed at the NSA and .gov / .mil sites, see Brian Krebs’ post here.]
  • Global. The folks at NetWitness put considerable effort into understanding who was behind this and discovered a complicated trail leading through Eastern Europe and China to … well, it’s not quite clear, but the lesson is that the intertubes have indeed made the world a smaller place.
  • Not Just About Money (but in the end it is). There is evidence that at least some of this was directed at looting bank accounts using so-called money mules (an old problem and a continuing one). In addition, given the nature of the information found, it seems likely that it would be useful to other bad guys (e.g., money launderers, terrorists) and intelligence agencies alike. Thus, in the end, it’s all about the money.

In addition, it suggests that simple reliance on reactive blacklisting approaches is not good enough. To even have a fighting chance on this front, you need to take additional measures. I know that some consider the old rubric “defense in depth” to be, well, old — but as with so many things, there’s a simple truth involved …

  • Technology. No single technology is going to protect you completely; having multiple, overlapping solutions (belts & suspenders … or moats & walls) is the only way to cover the bases to an acceptable level. This means keeping up with your patching (remember Conficker?), having perimeter defenses, using encryption, and controlling what applications are allowed to run on your system assets (i.e., application whitelisting like this), inter alia.
  • Process. But if you’re not paying attention to what all your defenses are conveying to you, then you’ll miss the tells which help you react to impending or ongoing problems.
  • People. As someone said, the greatest security risk to your computer (network) is sitting at the keyboard. Beyond the need to have qualified and experienced folks manning the instrumentation, you need to ensure that your end-users are educated – not only upon joining your company, but on an on-going basis. After all, the bad guys are obviously evolving their methods; shouldn’t you keep your people up-to-date too?

OK, enough for now. I’m sure this story is going to continue to grow in the coming days and months. So stay tuned for more. And in the meantime, here are some further readings on the topic for those interested …