A US-based NetWitness, a real-time network forensics firm, announced that Kneber botnet had captured almost 75000 personal computers in 2,500 organizations and governement agencies. The Logins and Passwords of sites like Hotmail, Yahoo and many other accounts including online banking websites and corporate servers which is used for storing confidetial data, were captured by the hackers. Close to 200 countries were attacked and the most affected countires were Egypt, Mexico, Saudi Arabia, Turkey, and the United States.
Netwitness says Kneber is a ZeuS Trojan botnet, a type of botnet which targets and steals key information stored on the computer, such as login credentials.
“Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information,” stated Alex Cox, the Principal Analyst at NetWitness who was responsible for uncovering the Kneber-bot, “but that viewpoint is naive. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS and consider more diverse mission objectives.”
The operating systems that were mostly affected were Microsoft XP Professional Edition, Microsoft XP Home Edition and Vista Home Edition.
Amit Yoran, CEO of NetWitness and former Director of the National Cyber Security Division, said, “While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet. These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew quietly and diligently target and compromise thousands of government and commercial organizations across the globe. Conventional malware protection and signature based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats. Organizations which focus on compliance as the objective of their information security programs and have not kept pace with the rapid advances of the threat environment will not see this Trojan until the damage already has occurred. Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks.”
NetWitness also said that “over half the machines infected with Kneber also were infected with Waledac, a peer to peer botnet.”, which shows that there is a cetain level of co-existence between cybercriminals. This emphasises tha if one botnet was removed, the other could continue its operation.