Researchers: Botnet infects thousands of government computers

SAN FRANCISCO — Researchers at Finjan Software Inc. reported today the discovery of a new botnet of nearly 2 million infected computers — many of them in U.S. government networks.

The botnet, apparently controlled from Ukraine, includes IP addresses from 77 government domains mainly in the United States, said Ophir Shalitin, Finjan’s marketing director, at the RSA security conference. Fifty-one are U.S. government domains, he added. “It is being spread primarily through legitimate Web sites that have been infected.”

The Trojan responsible for the infections, named Seneka, appears to be targeting English-language Web sites. The United States has the most  infections, with 45 percent of the total number of compromised computers,  followed by the United Kingdom with 6 percent and Canada with 4 percent.

“We have acted on this,” Shalitin said. Finjan has informed law enforcement agencies in the United States and the United Kingdom, as well as organizations with large infections. There have been immediately visible results from that notification, he said. “The rate of infections is high, and more people are becoming infected.”

Finjan said data on the botnet’s command and control server showed 1.95 million infections as of March 18.

“We have seen this number increasing during our research, on an hourly basis,” the company said.

“Botnet” is the term for a network of compromised computers that can be remotely controlled from a central server or servers. Once a computer is infected, additional malicious code can be downloaded to it, along with commands to gather information, launch attacks or send spam. Botnets can be rented in whole or in part by their controllers to online criminals.

“To what extent information has been collected, I don’t know,” Shalitin said. But “we have a lot of information on what kind of malware has been used.”

Researchers found a log of three dozen files that had been loaded onto infected computers. “Overall, the cyber gang can remotely execute anything it likes on the infected computers,” the company said.

The botnet was discovered when open folders on a server hosted in Ukraine were found by researchers at Finjan’s Malicious Code Research Center. The Seneka Trojan exploits a variety of vulnerabilities to infect legitimate Web sites, then scans visiting browsers for multiple vulnerabilities through which to infect them.

One Trojan that was loaded onto bots was discovered by only four of 39 antivirus products that it was tested against.

Seneka is not using zero-day attacks to infect Web sites and computers but instead exploits known vulnerabilities for which patches are available, Shalitin said. This means that both the client and server side can protect themselves by updating patches. Web sites also can use content inspection tools to ensure that malicious code is not making its way onto sites and engaging in unauthorized behavior.

About the Author

William Jackson is a Maryland-based freelance writer.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Tue, Mar 16, 2010 James J. Finn Boston - USA

When will we learn that "Security" is a "State" of an information system in which nothing (data) can be used by anyone without an external and unique key. !!! Encryption at the data level goes further than any other singe technique to effect that end. Controlling the processing resources can bring things down (DOS) - but so can pulling out the plug or blowing a fuse. Fully secure servers have existed since the 1980's, but they are simply the digital equivalent of being disconnected from the internet> Jim Finn

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group