The cover of NetWitness's report on the "Kneber" BotNet. (NetWitness)
"The ZeuS Compromise" may sound like a great movie, but it's actually a newly uncovered, massive hacking network -- and it's a doozy, affecting more than 74,000 PCs in 2,400 business and government systems around the world.
And it's still up and running.
But worse, the security analysts who detected the underground network believe the criminals behind it aren't even after money. Instead they have built a secret underground network to rent out to gangs, cybercrooks -- and even rogue governments.
Factbox: About the Kneber Botnet
Detected by network-forensics firm NetWitness, the newly-discovered infestation -- dubbed the "Kneber botnet" after the username linking the infected computers -- gathers login credentials to online financial systems, social networking sites and e-mail systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities.
Information compiled by NetWitness showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.
Merck and Cardinal Health have isolated and contained the problem, the companies report. But the Wall Street Journal revealed that people familiar with the attack have named several other infected companies, including Paramount Pictures and software company Juniper Networks.
The computers were infected with spyware called ZeuS, which is freely available on the Internet. It lets hackers record keystrokes and control computers remotely. A company engineer uncovered the scheme Jan. 26 while installing technology for a large corporation to hunt for cyberattacks.
The problem is far beyond just a money thing however, NetWitness CTO Eddie Schwartz told FoxNews.com. "In the past, the issue was stealing banking credentials. This attack was focused on general user names and passwords across a wide variety of networks." And Schwartz points out, "the financial services stuff paled in comparison to the social networking compromises."
Why Facebook and Yahoo log-in information? The unknown criminals behind this attack seem focused on developing a multi-use network that can be rented out to the highest bidder, a network with many potential uses. It's well known that an underground criminal datamart exists where vast harvests of account numbers, e-mail and social network accounts, and other data can be bought and sold, said Schwartz.
"It's as if you were running a chop shop, and people started bringing you random cars. You become known as the guy who has a lot of cars and parts," he explained. The ultimate goal of these criminals may be to build a network that can harvest the data for these markets.
NetWitness points out that over half the machines infected with Kneber were also infected with Waledac, a peer to peer botnet. And the coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground.
Toralv Dirro, a security strategist with McAfee, explains that Kneber is not alone, pointing out that there are "a few thousands" of such networks. "With 75,000 machines, its a big botnet, but we've seen much bigger, unfortunately." He also confirmed the nefarious end goal of this network: "It's common that people rent botnets out," said Dirro.
Schwartz speculated about potential consumers for data stolen via the Kneber botnet: "There's no reason this type of underground data wouldn't be sold to anyone -- including an intelligence gathering network" or a government agency, he explained.
The data the company uncovered also included complete dossiers on individuals, noted Schwartz: "Imagine if I interviewed you for three hours and asked every question I could think of. That kind of data existed on individuals, not just in top tech companies but in government agencies too."
"Around about 4 million new computers are being added to these botnets each month," Dirro told FoxNews.com. "Companies need to be aware that not just consumer machines but users inside corporate networks are becoming part of these networks." He hopes these latest revelations inspire companies to become more proactive about protection.
Schwartz agrees, noting that his company's software is more effective at detecting this type of attack than many common commercial packages, which often rely upon databases of known threats. NetWitness Investigator software instead acts like an instant replay button for your network, letting analysts "mine" through the traffic to look for irregular activity.
He believes that government agencies are better prepared against these attacks than private industry, however.
"The right people in the government have a keen awareness of what it takes to monitor this stuff, and secure the networks appropriately. But the public / private issue continues to be one that's unresolved. There continues to be a lot of data available to the government that's not widely available to industry."
And until that changes, beware of the bots.
Get a daily look at what’s developing in science and technology throughout the world.