Think Twice Before Accepting that FaceBook Friend

As social networking grows in popularity among healthcare professionals, so does it grow as a target for computer hackers and identity thieves. This is a massive problem for one obvious reason. While the online social world is dominated by casual computer users, even drawing those who had no previous interest in online gaming or shopping, the community of hackers and thieves are among the most sophisticated technofiles in the world. This is an unfortunate pairing of people easily deceived with deception masters.

Last week, the newswires were full of a frightening report. Analysts at Herndon, Virginia-based security firm NetWitness® have discovered a dangerous new ZeuS botnet affecting 75,000 systems in 2,500 organizations around the world. The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities.

GLOSSARY Botnet: A collection of software robots, or bots, that run autonomously and often maliciously. Hackers who assemble a sufficient number of unsuspecting PCs into a botnet can rent time on them to the highest bidder. ZeuS: A a trojan horse, a botnet system designed to steal information from an infected computer. It records specific, targeted keystrokes of the infected computer and relays them to remote computers. Kneber: also known by internal name "BTN1," the default name given to ZeuS botnets. "Kneber" is the username linking the infected systems worldwide. NetWitness estimates it has been operating since March, 2009. Waledac: a peer to peer spamming botnet often used to deliver additional malware to PCs. Waledac can reinstall Kneber and vice versa.   Origin of Attack: By associating domain names with IP address, NetWitness was able to tie the attack to a global network of servers, with a clear focus on Chinese IP addresses. Targeted Countries: The top five sources for compromised computers: Egypt, Mexico, Saudi Arabia, Turkey, United States. Type of PC Infected: The ZeuS bot is purpose-built to infect the Microsoft Windows operating system. The top five versions of Windows infected: XP Pro SP2, XP Pro SP3, XP Home SP3, XP Home SP2, Vista Home SP2 Information Stolen: over 68,000 credentials during one 4-week period. The top 6 credentials stolen: netlog.com, sonico.com, metroflog.com, hi5.com, yahoo.com, facebook.com. Facebook tops the list of networking sites attacked. One energy company lost 65MB of data in one 12 hour period.

NetWitness first discovered the Kneber botnet in January during a routine deployment of the NetWitness advanced monitoring solutions. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines.

Discussing the importance of the Kneber botnet, Amit Yoran, CEO of NetWitness and former Director of the National Cyber Security Division, said, "While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet. These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew quietly and diligently target and compromise thousands of government and commercial organizations across the globe. Conventional malware protection and signature based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats. Organizations which focus on compliance as the objective of their information security programs and have not kept pace with the rapid advances of the threat environment will not see this Trojan until the damage already has occurred. Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks." (emphasis added)

"Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information," stated Alex Cox, the Principal Analyst at NetWitness responsible for uncovering the Kneber-bot, "but that viewpoint is naive. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS and consider more diverse mission objectives."

Over half the machines infected with Kneber also were infected with Waledac, a peer to peer botnet. The coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground.

"NetWitness enables the discovery of malicious code like Kneber - before things get critical and valuable data is lost," said Cox. "It is 100% certain that many organizations have no idea they are victimized by these types of problems because they're just not tooled to see them on their networks. The Kneber botnet is just one category of advanced threat that organizations have been facing the past few years that they are still largely ignorant or blind to today."

NetWitness has made a whitepaper available at http://www.netwitness.com/resources/kneber.aspx. Registration required for download.

About NetWitness
NetWitness® Corporation offers services in real-time network forensics and automated threat intelligence solutions, helping government and commercial organizations detect, prioritize and remediate complex IT risks. NetWitness products target information security problems including: advanced persistent threat management; sensitive data discovery and advanced data leakage detection; malware activity discovery; insider threat management; policy and controls verification and e-discovery. Originally developed for the US Intelligence Community, NetWitness has evolved to provide enterprises around the world with network content analysis and host-based risk discovery and prioritization. NetWitness customers include Defense, National Law Enforcement and Intelligence Agencies, Top US and European Banks, Critical Infrastructure, and Global 1000 organizations. NetWitness has offices in the U.S. and the U.K. and partners throughout North and South America, Europe, the Middle East, and Asia.