About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

New Zeus Botnet Discovered with 74,126 Windows PCs

It's getting better all the time.

Get It

Try It

HERNDON (Rixstep) — Security analysts at former US security czar Amit Yoran's NetWitness corporation accidentally uncovered a heretofore unknown Zeus botnet with 74,126 Windows PCs running in 196 countries.

Amit Yoran was formerly director of the national cyber-security division of the US Department of Homeland Security. He resigned in October 2004, complaining of an inability to effect real changes.

One of Yoran's last pronouncements before his resignation was to condemn Microsoft web products.

NetWitness engineer Alex Cox accidentally came upon the botnet on 26 January. He and Gary Golomb have thereafter researched the botnet and now they've published a white paper detailing their discovery.

Hilary Kneber

The botnet, named 'Kneber' after one of the mail accounts used for domain registration, currently has implicated at least 126 domains and is believed to be run by at least twenty (20) command and control domains worldwide.

Naturally the botnet targets only Windows computers. These 74,126 computers were found at medical companies, insurance companies, educational institutions, energy firms, financial companies, Internet providers, and government agencies. Although spread to 196 countries, the greatest concentration was found in the US, Saudi Arabia, Egypt, Turkey, and Mexico.

Not the First Time Exactly

Going under other names such as Wsnpoem and Zbot, Zeus was first seen in July 2007 when it stole information from the US Department of Transportation. Jacques Erasmus and his research team at Prevx discovered a Zeus data cache in June 2009. The data was used exclusively to break into FTP accounts at sites such as NASA, Cisco, Kaspersky, McAfee, Symantec, Amazon, Bank of America, Oracle, ABC, BusinessWeek, Bloomberg, Disney, Monster, and the Queensland government.

All told 74,000 FTP accounts were compromised.

'It's exclusively login data', said Erasmus at the time. 'The purpose of this data is clear to me. They want to use this to inject iframes into these sites which point to their exploit kit running on the same server, to exploit more people and distribute more malware. This is a good opportunity for them to target more users that might not get infected via the normal routes.'

NetWitness have now published their white paper on the subject; Kneber is still running.

See Also
WSJ: Broad New Hacking Attack Detected
Prevx: Test Your FTP Logon
ZBot data dump discovered with over 74,000 FTP credentials
Wikipedia: Zeus Trojan
Reuters: Zeus Attacks Department of Transportation
Krebs on Security: Zeus Attack Spoofs NSA, Targets .gov and .mil
Fortiguard: Zeus: God of DIY Botnets
YouTube: Zeus Bot: Under Watch
abuse.ch: Zeus Tracker
Antisource: ZeuS
Radsoft: ;DECLARE @S CHAR(4000);
Radsoft: Fighting Malware on Windows
Radsoft: The Malware Ruse
Radsoft: The Microsoft Ghetto
The Technological: Wsnpoem
The Technological: They Think It's OK
NetworkWorld: America's 10 Most Wanted Botnets
NetworkWorld: Malware Infects Space Station
Trusteer: Measuring the in-the-wild effectiveness of Antivirus against Zeus (PDF)
Hindu News: UAB computer forensics link Internet postcards to virus
MDL: Malware Domain List
Webroot: One Click, and the Exploit Kit's Got You
NetWitness: Kneber White Paper
Washington Post: More than 75,000 computer systems hacked in one of largest cyber attacks

ZeuS is a nasty infection to have.
 - Richard S Westmoreland

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.