by Glenn Chapman, February 19, 2010
SAN FRANCISCO (AFP) - Hackers have created a "dangerous new" network of virus-infected computers in 2,500 businesses and government agencies around the world, a US Internet security firm warned Thursday.
NetWitness dubbed the army of 75,000 zombie machines the "Kneber botnet" and said it was made using malicious ZeuS software that lets its masters steal information ranging from passwords to corporate or government secrets.
ZeuS malware has been increasingly used to siphon cash from financial institutions, with kits for customizing the larcenous programs hawked in the cyber underworld.
The code is usually slipped onto machines by tricking people into opening booby-trapped email attachments or clicking on tainted Internet links.
"These large-scale compromises of enterprise networks have reached epidemic levels," said NetWitness chief executive Amit Yoran, a former national cyber security division director at the US Department of Homeland Security.
"Cyber criminal elements, like the Kneber crew quietly and diligently target and compromise thousands of government and commercial organizations across the globe."
Computers compromised by the botnet let attackers take remote control of systems as well as mine them for valuable information about people's identities, financial transactions, and company activities.
NetWitness said it discovered the Kneber botnet in January while deploying an online monitoring system.
Investigation revealed that business and government computers had been plundered of information including log-in credentials for banking, email and social networking services, according to NetWitness.
Yoran said the scale of the attacks dwarfs the recent "Operation Aurora" cyberassault on Google and dozens of other firms.
The sophistication of the attack on Google has prompted suspicions of national level espionage although the culprits have yet to be identified.
Computer industry specialists subsequently said more than 30 companies were hit by those attackers.
The apparent online espionage prompted Google to vow it would stop bowing to Chinese censors and shut down its China search service if it cannot operate unfettered.
Google continues to filter searches in accordance with Chinese law while trying to negotiate a compromise with officials there.
"While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet," Yoran said.
More than half of the machines in the Kneber network were also infected with a Waledac code that instructs zombie machines to communicate with each other, making it harder to stamp out by essentially dispersing the command structure.
"It is 100 percent certain that many organizations have no idea they are victimized by these types of problems because they're just not tooled to see them on their networks," said NetWitness principal analyst Alex Cox.
"The Kneber botnet is just one category of advanced threat that organizations have been facing the past few years that they are still largely ignorant or blind to today."
Yoran told the Wall Street Journal that the hacking operation apparently began in late 2008 in Germany and grew to include using computers in China.
Evidence cited by NetWitness indicated the culprits may be Eastern European gangsters.
Workers at companies were tricked into visiting websites or opening email attachments that promised to clean viruses from computers but instead infected machines.