A massive botnet tying together more than 74,000 zombiefied PCs around the world was exposed Thursday, part of a secret underground network for rent to cybercrooks worldwide. But don't look for info on how to detect and eliminate it, or you could get caught up by "poisoned" searched results.
The newly uncovered, massive hacking network, dubbed the Kneber botnet the "Kneber botnet" after the username linking the infected computers, was detected and unveiled by network-forensics firm NetWitness,
The security analysts believe the criminals behind it aren't after money. Instead they have built a secret underground network to rent out to gangs, cybercrooks -- and even rogue governments. And it's still up and running.
Security software vendor Symantec warns of caution in the wake of the scam, however, explaining that scammers often poison search results for those hunting for safe tools to detect and remove the infection.
Search for "Kneber Botnet Removal" and you're likely to click on results that will actually infect your computer with fake anti-virus software.
In a post to Symantec's Security Response blog, Kevin Haley writes of "cybercriminals seeking to exploit computer users' fears -- spurred by all of the coverage that this threat is receiving -- by poisoning search engine results for keywords such as Kneber Botnet Removal."
In fact, warns Haley, the highest ranked result on Google using these search terms led to a site hosting rogue antivirus software. Symantec has posted a separate page with detailed instructions on how to remove the bot, which it refers to more generally as Trojan.Zbot.
Several Known Kneber Infections
Information compiled by NetWitness showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.
Merck and Cardinal Health have isolated and contained the problem, the companies report. But the Wall Street Journal revealed that people familiar with the attack have named several other infected companies, including Paramount Pictures and software company Juniper Networks.
The problem is far beyond just a money thing however, NetWitness CTO Eddie Schwartz told FoxNews.com. "In the past, the issue was stealing banking credentials. This attack was focused on general user names and passwords across a wide variety of networks." And Schwartz points out, "the financial services stuff paled in comparison to the social networking compromises."
Why Facebook and Yahoo log-in information? The unknown criminals behind this attack seem focused on developing a multi-use network that can be rented out to the highest bidder, a network with many potential uses. It's well known that an underground criminal datamart exists where vast harvests of account numbers, e-mail and social network accounts, and other data can be bought and sold, said Schwartz.
"It's as if you were running a chop shop, and people started bringing you random cars. You become known as the guy who has a lot of cars and parts," he explained. The ultimate goal of these criminals may be to build a network that can harvest the data for these markets.
NetWitness points out that over half the machines infected with Kneber were also infected with Waledac, a peer to peer botnet. And the coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground.
Toralv Dirro, a security strategist with McAfee, explains that Kneber is not alone, pointing out that there are "a few thousands" of such networks. "With 75,000 machines, its a big botnet, but we've seen much bigger, unfortunately." He also confirmed the nefarious end goal of this network: "It's common that people rent botnets out," said Dirro.
Schwartz speculated about potential consumers for data stolen via the Kneber botnet: "There's no reason this type of underground data wouldn't be sold to anyone -- including an intelligence gathering network" or a government agency, he explained.