Reports of a 75 000-strong botnet should not be of major concern to network administrators whose computers and networks have up-to-date security systems in place.
This is the word from Kaspersky Lab, responding to concerns raised by US-based IT security company NetWitness, which reported that its experts had discovered the Kneber botnet comprising of almost 75 000 infected computers.
Media reported this as a new threat, giving rise to a spate of rumors on the Internet, including news of a new Kneber virus which regular antivirus protection is unable to handle. It turns out that this ‘ultimate new weapon’ is a zombie network whose name is derived from the pseudonym Hilary Kneber which was used to register malicious Internet addresses. A cyber-criminal acting under this name did in fact infect, and control, a very large number of computers using the well-known ZeuS Trojan (also known as ZBot).
Dmitry Tarakanov, malware analyst at Kaspersky Lab, comments: “The ZBot Trojan is a tool which steals users’ confidential data, including logins and passwords to just about anything: email, social networks, online banking, online auctions, online exchanges etc., as well as credit card data and security certificates, sending all the data stolen from infected users to the cyber-criminal.”
The media emphasised numerous infections of computers which are part of corporate and government networks, mentioning that the networks of 2 500 organisations have been compromised.
ZeuS does not make any distinction between home users and corporate networks. “While it may be possible to check whether companies have malicious software on computers comprising their corporate networks, there is no way to get such statistics on home users. After all, you can’t visit each household to check if a computer is infected with Kneber’s ZBot. We have no data indicating that Kneber targets businesses and governmental organizations,” says Tarakanov.
Media conclusions, however, may be due to the fact that corporate networks are often based on outdated equipment running equally outdated software: whatever was purchased and installed four or five years ago is still up and running.
“Moreover, these days malware tends to conceal its presence, so it is unlikely anyone will notice an infection unless they take the necessary security precautions," Tarakanov adds. "Outdated equipment has to make use of outdated software, which results in exploits making use of well known vulnerabilities.
"An infection scenario in this case probably goes something like this: spam is sent to a corporate email address, employees click the link in the message and the Web site it leads to turns out to be malicious. As all employees use the same outdated, corporate software, an exploit from the malicious site is activated and the entire company is infected.
"The report states that the vast majority of the computers falling victim to the Kneber botnet were located in the Middle East (Egypt, Saudi Arabia, Turkey and Kuwait). These countries are known to Kaspersky Lab experts for their high level of network worms. These worms also exploit vulnerabilities in outdated systems where the latest updates haven’t been installed. We have here a far from pleasant situation – malicious spam plus outdated software and/or network worms that are spreading around a local network and downloading ZeuS from the Internet. The result is a mass infection by the same Trojan and a large-scale botnet.
"According to our latest data, the Middle East is not the only region suffering from poor corporate security policies; the US and Mexico are also among the countries worst hit," he adds.
Kaspersky Lab’s experts have long known about ZeuS, says Tarakanov. They have been watching its development and tracking the emergence of new variants.
“For those users worried about getting infected, there is only the usual piece of advice: make sure your computer is secure. Second-rate protection, a superficial knowledge of computer security and a casual attitude will be punished by modern cyber threats,” he adds.