RSS Alerts

Share

More services

Related Links

Related Stories

  • Military and intelligence personnel targeted again by Zeus trojan
    Some rather industrious spammers have targeted military and intelligence employees for the second time in a week. But this time they used the pretense of the previous attack in an attempt to deliver the Zeus trojan.
  • SpyEye continues battle of the botnets
    Researchers have identified another example of a botnet that attempts to neutralize other botnet software. Peter Coogan, a researcher at Symantec, noticed a crimeware toolkit from Russia called SpyEye, which appears to neutralize the competing Zeus crimeware kit.
  • Government employees targeted by Zeus trojan
    Defense and intelligence agencies in the US and UK were among the intended targets of a Zeus trojan campaign, according to findings by Websense.
  • Email Zeus trojan scams on the rise
    Online criminals are stepping up their campaign to infectInternet users with the Zeus trojan, according to new research published by Atlanta-based managed security firm SecureWorks. Email campaigns in particular are on the rise, the company has said.
  • Zeus botnet traced to Latvian operation
    Researchers have been busy over the last few days tracing where the Zeus botnet is being controlled from, following investigations by the University of Alabama in the US, which tracked down the Zeus Bot virus to a raft of fake internet postcards circulating on the internet.

Top 5 Stories

News

Zeus gang hits 75 000 computers

18 February 2010

The same criminal gang that targeted government and military computers with its malware has also infected 75 000 computers in almost 200 countries with a virulent strain of the banking trojan, according to research from network monitoring company NetWitness.

The botnet, known as Kneber after an email address used to register malicious domains, targeted 2400 organizations across the globe, with 374 based in the US. Internet service providers, energy companies, federal government agencies, and financial institutions all suffered from the attack.

According to the white paper on the botnet published by NetWitness, the Zeus strain used in the attack was detected by fewer than 10% of all antivirus products, and existing intrusion detection systems failed to pick up the botnet communication.

"This compromise, the scope of global penetration and the sheer magnitude of the collected data illustrates the inadequacy of signature-based network monitoring methods used by most commercial and public sector organizations today," NetWitness said in the report.

Although NetWitness said that it was difficult to detect the exact size of the botnet, it measured 74 126 unique IDs at one point in time. Covering almost 200 countries, the botnet exploited the greatest percentage of computers in Egypt. One in five compromised computers were located in that country. Mexico, Saudi Arabia, Turkey, and the US were the next most targeted, in that order.

An analysis of domain names and IP addresses suggested that the criminal group behind this enterprise was the same one that specifically targeted the government sector via phishing emails earlier this month. Command and control systems for the two botnets resided on the same server, NetWitness said.

"This activity shows that this miscreant group is not only using exploit kits to steal banking login credentials and propagate their malware, but is now also targeting government agencies with convincing phishing emails (that correctly identify existing projects) with a high degree of success," the company said.

Significantly, NetWitness identified a high level of crossover between Kneber and the Waledac peer-to-peer spaming botnet, which is often used as a delivery mechanism for additional malware. "The sheer amount of Waledac traffic in the data set suggests a possible link between the Zeus infrastructure and the Waledac botnet and their respective controlling entities," NetWitness suggested.

Windows XP Professional SP 2 was by far the most targeted operating system, although Vista Home Edition SP 2 was also vulnerable to attack, and even embedded Windows systems were exploited, along with versions of Windows Server. The botnet focused heavily on the theft of credentials, with Facebook and Yahoo targeted the most. However, almost 2000 unique encryption certificates used for access to banking and corporate VPNs were stolen, and login credentials for a wide variety of banking sites were also targeted.

This article is featured in:
Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012