Massive botnet may have snared some agency systems

Security firm's report says 10 agencies among 2,500 victim organizations

Approximately 75,000 computer systems at roughly 2,500 organizations worldwide – including 10 U.S. federal agencies – have been caught in a massive global scheme to gather log-in credentials and steal data, according to the computer security firm NetWitness.

NetWitness discovered the "Kneber botnet," named for a user name that links the infected systems, in January during a deployment of the firm's monitoring solutions. The data discovered appears to be from one month of the botnet's operations, the firm said. Nearly 70,000 log-in credentials to e-mail systems, online banking sites and social networking sites, and 2,000 Secure Sockets Layer certificate files were found.

The discovery involved a server based in Germany, but there were 19 other command and control servers that could control the computers, said Eddie Schwartz, chief security officer for NetWitness, in a telephone interview today with Federal Computer Week. Other servers were based in Ukraine, Panama, China and the United States, he said. 

Related story:

Researchers: Botnet infects thousands of government computers

NetWitness’s findings were first reported by The Wall Street Journal.

Schwartz said the organizations affected were predominately commercial, but he confirmed that 10 agencies were also among those compromised by end-user activities. Schwartz said the agencies were both military and civilian, but they aren’t national security-related based on the data the firm has seen. He declined to name any of the agencies.

According to NetWitness, the five countries with the most compromised machines include: Egypt, Mexico, Saudi Arabia, Turkey and the United States. However, the botnet spans 196 countries.

“This compromise, the scope of global penetration and the sheer magnitude of the collected data illustrates the inadequacy of signature-based network monitoring methods used by most commercial and public-sector organizations today,” a Feb. 17 NetWitness report on the botnet states.

The format and structure of the logged data indicate that a ZeuS Trojan botnet is being used for the exploits, the firm said. Perpetrators can use ZeuS to target specific information by capturing data from Web forms, identifying traffic before it is encrypted and picking out cookies, among other means, according to NetWitness.

Schwartz said machines can get infected with the botnet through classic techniques such as opening files with embedded malware or through Web sites injected with exploit kits. Meanwhile, NetWitness believes the botnet is ongoing, with some components of it remaining in full operation when last checked a few days ago, he added.

NetWitness has been in touch with the victim organizations and federal authorities regarding the botnet's discovery, Schwartz said. “Organizations do need to realize that there is a high level of what the military calls situational awareness [that] they need to apply to their network,” he said.

“Just relying on the current countermeasures is just not cutting it, and certainly the government is aware of this. I mean the government, at least a lot of agencies, really are leading the way on a lot of this stuff,” he added. “Maybe that’s a good indicator too of why the government wasn’t hit more heavily, who knows.”

The Homeland Security Department’s United States Computer Emergency Readiness Team (US-CERT) doesn’t comment on actual or alleged incidents. However, a DHS spokesperson said ZeuS is among US-CERT’s top five reported malware infections.

According to US-CERT, the Kneber botnet is an adaptation of the ZeuS crimeware kit and the organization has received limited reporting of possible infections, the spokesperson said. US-CERT is analyzing malicious code, tactics and techniques used by the botnet and the organization has shared its technical understanding of this attack with the federal and private sectors, the official said.

Meanwhile, US-CERT released an updated Situational Awareness Report on ZeuS activity on Feb. 3. The release of that report and heightened awareness contributed to a minimization of infection rates at agencies, the spokesperson said.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

Stay Connected