TechFundu

NetWitness, the world leader in advanced persistent threat detection and real-time network forensics, announced on February 18, 2010 in HERNDON , VA, USA that its analysts have discovered a dangerous new ZeuS botnet affecting 75,000 systems in 2,500 organizations around the world.

The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems,  Facebook, Yahoo, Hotmail and other social network credentials and email systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities.

"These large-scale compromises of enterprise networks have reached epidemic levels," said Amit Yoran, chief executive of NetWitness and former director of the National Cyber Security Division of the Department of Homeland Security.

"Cyber criminal elements, like the Kneber crew, quietly and diligently target and compromise thousands of government and commercial organizations across the globe."

The company, which is based in Herndon, Va., noted that the new botnet made sophisticated use of a well-known Trojan Horse - a backdoor entryway to attack - that the computer security community had previously identified as ZeuS.

"Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information," said Alex Cox, the principal analyst at NetWitness responsible for uncovering the Kneber botnet.

"But that viewpoint is naive. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS."

"Over half the machines infected with Kneber also were infected with Waledac, a peer to peer botnet. The coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground." 

The current infection is modest compared with some of the largest known botnets. For example, a system known as Conficker, created in late 2008, infected as many as 15 million computers at its peak and continues to contaminate more than 7 million systems globally.