Over the last 18 months, a new botnet has been terrorizing corporate computers around the world, according to Internet security vendor NetWitness.
Sure, it's in NetWitness' interests to give companies a scare, but you don't need a lot of hyperbole to make the so-called Kneber botnet a scary hacking attack. NetWitness says it discovered Kneber -- a kind of Zeus Trojan -- last month, and that the botnet has attacked 75,000 systems at 2,500 organizations.
"Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information, but that viewpoint is naïve," said Alex Cox, the NetWitness analyst that discovered Kneber when installing his company's software at a company. The new botnet he said, has been used to harvest a wide variety of data from corporations.
According to a white paper published by NetWitness Thursday -- which includes some interesting analysis among the product pitches - the company's researchers found 75 GB of stolen data, which contained more than 68,000 stolen credentials obtained over a four-week period. More than 3,500 of those were Facebook credentials, another 2,500-plus were Yahoo usernames and passwords.
But NetWitness points out that this data -- just one month in the botnet's 18 month existence -- is from an "earlier campaign" that targeted social networking and Web mail sites. "The most recent configuration file that was downloaded by the malware prior to the site's takedown was almost exclusively designed to target credentials for banking and/or digital currency sites," says the vendor, which provided a list of banks -- a who's who of the banking industry -- that the infected machines have been scraping.
The white paper doesn't say which companies have been hit by Kneber, but the Wall Street Journal reported today that they include pharmaceutical company Merch and Cardinal Health, both of whom were said to have "isolated and contained the problem."
The Journal also said that people "familiar with the attack" named Paramount Pictures and Juniper Networks as other victims. NetWitness says it is sharing information with the companies that have been infected with the botnet.
Computers at 10 U.S. government agencies were also hit, according to NetWitness, which said that the attackers obtained a soldier's military e-mail credentials.
But the botnet is widespread, says NetWitness, and compromised machines have been found in 196 countries. The top five sources of infected computers are Egypt, Mexico, Saudi Arabia, Turkey and the U.S.