The botnet, known as Kneber after an email address used to register malicious domains, targeted 2400 organizations across the globe, with 374 based in the US. Internet service providers, energy companies, federal government agencies, and financial institutions all suffered from the attack.
According to the white paper on the botnet published by NetWitness, the Zeus strain used in the attack was detected by fewer than 10% of all antivirus products, and existing intrusion detection systems failed to pick up the botnet communication.
"This compromise, the scope of global penetration and the sheer magnitude of the collected data illustrates the inadequacy of signature-based network monitoring methods used by most commercial and public sector organizations today," NetWitness said in the report.
Although NetWitness said that it was difficult to detect the exact size of the botnet, it measured 74 126 unique IDs at one point in time. Covering almost 200 countries, the botnet exploited the greatest percentage of computers in Egypt. One in five compromised computers were located in that country. Mexico, Saudi Arabia, Turkey, and the US were the next most targeted, in that order.
An analysis of domain names and IP addresses suggested that the criminal group behind this enterprise was the same one that specifically targeted the government sector via phishing emails earlier this month. Command and control systems for the two botnets resided on the same server, NetWitness said.
"This activity shows that this miscreant group is not only using exploit kits to steal banking login credentials and propagate their malware, but is now also targeting government agencies with convincing phishing emails (that correctly identify existing projects) with a high degree of success," the company said.
Significantly, NetWitness identified a high level of crossover between Kneber and the Waledac peer-to-peer spaming botnet, which is often used as a delivery mechanism for additional malware. "The sheer amount of Waledac traffic in the data set suggests a possible link between the Zeus infrastructure and the Waledac botnet and their respective controlling entities," NetWitness suggested.
Windows XP Professional SP 2 was by far the most targeted operating system, although Vista Home Edition SP 2 was also vulnerable to attack, and even embedded Windows systems were exploited, along with versions of Windows Server. The botnet focused heavily on the theft of credentials, with Facebook and Yahoo targeted the most. However, almost 2000 unique encryption certificates used for access to banking and corporate VPNs were stolen, and login credentials for a wide variety of banking sites were also targeted.