Critical Infrastructure Security, Malware, Threat Management, Vulnerability Management

Newly discovered Zeus spinoff botnet has wide impact

Computer systems at nearly 2,500 organizations and government agencies worldwide have become part of a newly-discovered botnet of PCs infected with the notorious data-stealing Zeus, according to researchers at network security monitoring firm NetWitness.

The “Kneber” botnet is made up of 74,126 machines in 196 countries that were infected with a variant of Zeus, Alex Cox, a principal analyst at NetWitness and the botnet's discoverer, told on Thursday.

The damage from the attack is still being surveyed, but based on the most current data, attackers were able to steal more than 68,000 credentials for social networking sites and email systems during a four-week period, according to a NetWitness research paper that examined the botnet, released Thursday.

The stolen data also includes credentials for corporate accounts and online banking sites, Cox said. The gang of hackers behind the attack, believed to be from Eastern Europe, have likely stolen millions of credentials.

NetWitness has informed the FBI about the attack and is currently in the process of notifying victimized organizations. Many of the victims include Fortune 500 enterprises, local, state, and federal government agencies, and energy companies. Also, technology firms, internet service providers, financial institutions and schools were affected. In total, 374 U.S.-based entities and 2,411 global entities have been impacted.

“Essentially, you have credentials stolen from systems all over the world for social networking, email, corporate and government systems,” Cox said.

Two companies that were affected include the Readington Township, N.J.-based pharmaceutical company Merck & Co. and Dublin, Ohio-based Cardinal Health, according to a report in the The Wall Street Journal. Both companies reportedly told The Journal they have isolated and contained the issue.

Neither company responded to a request for comment from

Amit Yoran, CEO of NetWitness, said large-scale compromises of enterprise networks have reached “epidemic levels.”

“Cybercriminal elements, like the Kneber crew, quietly and diligently target and compromise thousands of government and commercial organizations across the globe,” he said.

Cox discovered the botnet on Jan. 26 during routine analysis of a client's enterprise network. The botnet was named Kneber, after the email address used to register the command-and-control server linking infected systems worldwide, he said.

The Zeus trojan, also known as Zbot, was built to infect the Windows operating system. It is typically considered a banking trojan used to steal login credentials for online financial systems, but data analyzed from the Kneber botnet indicates that the trojan is also being used to harvest social networking and email credentials, according to NetWitness' research paper.

Some security experts, though, questioned the novelty of NetWitness' find.

Kneber is not a new threat but is simply one particular group of Zeus-infected computers being controlled by one owner, Kevin Haley, director of Symantec Security Response, said in a statement.

Zeus toolkits are widely available on the underground market, so it is not uncommon for attackers to create new strings of the overall Zeus botnet, such as Kneber, he said.

“Though it is true that this Kneber string of the overall Zeus botnet is fairly large, it does not involve any new malicious threats,” Haley said.

Users with up-to-date security software should already be protected from this threat, he added.

This attack should serve as a wake-up call to other businesses, Michael Maloof, CTO at TriGeo Network Security, told in an email Thursday.

“Breaches will occur,” Maloof said. “Your employees are no better trained or equipped than those that were infected, so it's critical to employ layers of defenses inside the organization so that a breach in one area doesn't expose the entire network.”

He added that it is important to continuously monitor internal defenses so that when a breach does occur, the organization can identify and respond before sensitive data is stolen.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.