Massive botnet may have snared some agency systems

Security firm's report says 10 agencies among 2,500 victim organizations

Approximately 75,000 computer systems at roughly 2,500 organizations worldwide – including 10 U.S. federal agencies – have been caught in a massive global scheme to gather log-in credentials and steal data, according to the computer security firm NetWitness.

NetWitness discovered the "Kneber botnet," named for a user name that links the infected systems, in January during a deployment of the firm's monitoring solutions. The data discovered appears to be from one month of the botnet's operations, the firm said. Nearly 70,000 log-in credentials to e-mail systems, online banking sites and social networking sites, and 2,000 Secure Sockets Layer certificate files were found.

The discovery involved a server based in Germany, but there were 19 other command and control servers that could control the computers, said Eddie Schwartz, chief security officer for NetWitness, in a telephone interview today with Federal Computer Week. Other servers were based in Ukraine, Panama, China and the United States, he said. 

Related story:

Researchers: Botnet infects thousands of government computers

NetWitness’s findings were first reported by The Wall Street Journal.

Schwartz said the organizations affected were predominately commercial, but he confirmed that 10 agencies were also among those compromised by end-user activities. Schwartz said the agencies were both military and civilian, but they aren’t national security-related based on the data the firm has seen. He declined to name any of the agencies.

According to NetWitness, the five countries with the most compromised machines include: Egypt, Mexico, Saudi Arabia, Turkey and the United States. However, the botnet spans 196 countries.

“This compromise, the scope of global penetration and the sheer magnitude of the collected data illustrates the inadequacy of signature-based network monitoring methods used by most commercial and public-sector organizations today,” a Feb. 17 NetWitness report on the botnet states.

The format and structure of the logged data indicate that a ZeuS Trojan botnet is being used for the exploits, the firm said. Perpetrators can use ZeuS to target specific information by capturing data from Web forms, identifying traffic before it is encrypted and picking out cookies, among other means, according to NetWitness.

Schwartz said machines can get infected with the botnet through classic techniques such as opening files with embedded malware or through Web sites injected with exploit kits. Meanwhile, NetWitness believes the botnet is ongoing, with some components of it remaining in full operation when last checked a few days ago, he added.

NetWitness has been in touch with the victim organizations and federal authorities regarding the botnet's discovery, Schwartz said. “Organizations do need to realize that there is a high level of what the military calls situational awareness [that] they need to apply to their network,” he said.

“Just relying on the current countermeasures is just not cutting it, and certainly the government is aware of this. I mean the government, at least a lot of agencies, really are leading the way on a lot of this stuff,” he added. “Maybe that’s a good indicator too of why the government wasn’t hit more heavily, who knows.”

The Homeland Security Department’s United States Computer Emergency Readiness Team (US-CERT) doesn’t comment on actual or alleged incidents. However, a DHS spokesperson said ZeuS is among US-CERT’s top five reported malware infections.

According to US-CERT, the Kneber botnet is an adaptation of the ZeuS crimeware kit and the organization has received limited reporting of possible infections, the spokesperson said. US-CERT is analyzing malicious code, tactics and techniques used by the botnet and the organization has shared its technical understanding of this attack with the federal and private sectors, the official said.

Meanwhile, US-CERT released an updated Situational Awareness Report on ZeuS activity on Feb. 3. The release of that report and heightened awareness contributed to a minimization of infection rates at agencies, the spokesperson said.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.