Kneber Botnet Infects Corporate Computer Networks: HAL was Right

---

UPDATE (February 18, 2010 - 9:22 a.m. Central)

"Malicious Software Infects Corporate Computers "
The Wall Street Journal (February 18, 2010)

"A malicious software program has infected the computers of more than 2,500 corporations around the world, according to NetWitness, a computer network security firm.

"The malicious program, or botnet, can commandeer the operating systems of both residential and corporate computing systems via the Internet. Such botnets are used by computer criminals for a range of illicit activities, including sending e-mail spam, and stealing digital documents and passwords from infected computers. In many cases they install so-called 'keystroke loggers' to capture personal information.

"The current infection is modest compared to some of the largest known botnets...."

"...The hacking operation, the latest of several major hacks that have raised alarms for companies and government officials, is still running and it isn't clear to what extent it has been contained, NetWitness said. Also unclear is the full amount of data stolen and how it was used. Two companies that were infiltrated, pharmaceutical giant Merck & Co. and Cardinal Health Inc., said they had isolated and contained the problem.

"Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.

"In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

"They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier's military email account, NetWitness found. A Pentagon spokesman said the military didn't comment on specific threats or intrusions...."

"...The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form. It works with the FireFox browser, according to computer-security firm SecureWorks. This version included a $2,000 feature that works with FireFox, according to SecureWorks.

"Evidence suggests an Eastern European criminal group is behind the operation, likely using some computers in China because it's easier to operate there without being caught, said NetWitness's Mr. Yoran.

"There are some electronic fingerprints suggesting the same group was behind a recent effort to dupe government officials and others into downloading spyware via emails purporting to be from the National Security Agency and the U.S. military, NetWitness's Mr. Yoran said...."

---

"Botnet attack"
Daily Briefing, UPI (February 18, 2010)

"More than 70,000 computers from 2,500 companies have been infected with the Kneber botnet, an Internet watchdog said Thursday.

"NetWitness Corp. of Virginia said the attack is used to reap user names and passwords to gain access to financial information, social networking Internet sites and e-mail. The rogue software has been circulating for about 18 months and is known to have gathered about 75 gigabytes of data...."

"...The [Wall Street] Journal said the botnet software is spread when a computer user opens phishing e-mail that links to the code."

And the moral of this story is - no, really: don't open that email attachment.

Or as the HAL 9000 computer said, "It can only be attributable to human error."

There's quite a bit more on this SNAFU, including:

"Malicious Software Infects Corporate Computers"
The New York Times (February 18, 2010)

"A malicious software program has infected the computers of more than 2,500 corporations around the world, according to NetWitness, a computer network security firm...."

"...NetWitness said in a release that it had discovered the program last month while the company was installing monitoring systems. The company dubbed it the “Kneber botnet” based on a username that linked the infected systems. The purpose appears to be to gather login credentials to online financial systems, social networking sites and e-mail systems, and then transmit that information to the system's controllers, the company said.

"The company's investigation determined that the botnet has been able to compromise both commercial and government systems, including 68,000 corporate log-in credentials. It has also gained access to e-mail systems, online banking accounts, Facebook, Yahoo, Hotmail and other social network credentials, along with more than 2,000 digital security certificates and a significant cache of personal identity information...."

"...'Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information,' stated Alex Cox, the principal analyst at NetWitness responsible for uncovering the Kneber botnet. 'But that viewpoint is naïve. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS.'

"Half of the machines infected with the Kneber botnet were also infected by an earlier botnet known as Waledec, the company noted.

"The existence of the botnet was first reported by the Wall Street Journal, shortly before the company issued its press release."

"Virus has breached 75,000 computers: study"
Reuters (February 18, 2010)

"A new type of computer virus is known to have breached almost 75,000 computers in 2,500 organizations around the world, including user accounts of popular social network websites, according Internet security firm NetWitness.

"Technology

"The latest virus -- known as 'Kneber botnet' -- gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information back to hackers, NetWitness said in a statement.

"A botnet is an army of infected computers that hackers can control from a central machine....

"..'Conventional malware protection and signature-based intrusion detection systems are, by definition, inadequate for addressing Kneber or most other advanced threats,' Chief Executive Amit Yoran said in a statement."

Kudos to the Reuters article for helpfully defining "botnet" - a term that may not be familiar to many readers.

Then they end the article with "...Conventional malware protection...inadequate for addressing ... advanced threats..." That's true (but, in my opinion, misleading) statement reminded me of the old "bullets won't stop them!" line from fifties monster movies.

If, by "conventional malware protection," Reuters meant systems that rely exclusively and completely on software to scan programs and messages - yes, it's true. "conventional malware protection" won't stop the Kneber botnet.

Because it apparently relies on some human being opening an attachment to a phishing email.

How long have we been hearing and reading "DON'T OPEN EMAIL ATTACHMENTS" unless you have verified that the person it's supposed to be from actually sent it - and doesn't have an infected machine?

That sound you didn't hear was me, mentally beating the desktop with my head. I don't know which will be easier: developing a global system of cooperating lawmakers, law enforcement agencies, software developers, ISPs, and users to identify and prosecute the outfits that create problems like this? Or getting folks in the office to exercise common sense?