A computer botnet is known to have breached almost 75,000 computers in 2,500 organizations around the world, including user accounts of popular social network Web sites, according Internet security firm NetWitness.
The "Kneber botnet," as it's known, gathers login credentials to online financial systems, social networking sites and e-mail systems from infested computers and reports the information back to hackers, NetWitness said in a statement. (See "What to do" below.)
As proof of how quickly news of the problem spread, security software maker Symantec said it is "starting to see signs of scammers poisoning search results for 'Kneber Botnet Removal,' meaning those people who do a search for that term are likely to click on results that will actually infect their computer with fake anti-virus software," according to a spokesman.
A botnet is an army of infected computers that hackers can control from a central machine.
NetWitness said the attack was first discovered in January during a routine deployment of the company's security software.
Further investigation by the Herndon, Va.-based firm revealed that many commercial and government systems were compromised, including 68,000 corporate login credentials and access to e-mail systems, online banking sites, Yahoo, Hotmail and social networks such as Facebook.
Companies that were infiltrated included pharmaceutical giant Merck & Co., Cardinal Health Inc., software firm Juniper Networks and Paramount Pictures, the Wall Street Journal reported Thursday.
The newspaper said that the hackers, believed to be an East European criminal group, also broke into computers at 10 U.S. government agencies and that in one case they obtained the user name and password for a soldier's military e-mail account.
Botnets getting 'more sophisticated'
"In the world of cybersecurity, the Kneber botnet is, unfortunately, just another botnet," Joris Evers, spokesman for McAfee, which makes security software, told msnbc.com. "Just like in the world of physical crime, a robbery is just another robbery. With 75,000 infected machines, Kneber is not even that big; there are much larger botnets out there."
Johannes Ullrich, chief research officer for the SANS Institute, a national organization that does information security training, research and certification, said the Kneber botnet — called "Kneber" for the user name linking the infected systems worldwide — is based on the ZeuS botnet, which "has been around for quite a while now and is just the latest iteration of these more and more sophisticated botnets."
For a corporate network, "limiting and monitoring outbound traffic is a useful strategy to limit the damage a bot like ZeuS can do," Ullrich said. "In addition, financial information should be reviewed and monitored closely.
NetWitness CEO Amit Yoran said in a statement that "Conventional malware protection and signature-based intrusion detection systems are, by definition, inadequate for addressing Kneber or most other advanced threats."
Computer systems "compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks," Yoran said.
Getting 'easier' to be a cybercriminal
"Unfortunately, it gets easier all the time to become a cybercriminal," noted McAfee, which makes security software, in a recent report. "Online toolkits, often originating in Russia, make it easy for first-time crooks to get into the botnet business."
Botnets, said Evers, "are one of the most common means of distributing spam and malware. The robots are the millions of compromised machines around the world, and botnets "have evolved considerably during the past six years."
"This isn’t a new threat," said a Symantec spokesman. "Kneber is the same as the ZeuS bot, which Symantec has been monitoring and have had various detections for awhile now."
"Toolkits" for creating the botnet "are widely available on the underground economy," he said, and it "is not uncommon for attackers to create new strings, such as Kneber, of the overall ZeuS botnet.
"Though it is true that this Kneber string of the overall ZeuS botnet is fairly large, it does not involve any new malicious threats," he said. "Computer users with up-to-date security software should already be protected from this threat."
Ullrich agreed, saying, "The sad part about this is that it is really not that new." The botnet, he said, "has been around for quite a while now and is just the latest iteration of these more and more sophisticated botnets."
Users "should rely more on common sense then anti-virus software when deciding if a link or software is malicious," he said. "Sadly, anti-virus software has been shown to be largely ineffective these days."
Ullrich said that ZeuS "has been pretty successful when it comes to tricking users into willingly installing the malware."
In particular, he said, "the integration of social networking made it more plausible for users to install the malware. Most users are aware by now of the dangers of e-mail attachments. But few understand that a hijacked Facebook account can be used to spread similar malware."
What to do
Ullrich's advice, "for more technically savvy users" is to check their computer's registry key, which lists software that will start as a user logs in. The registry key can be found by following this path, he said:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
"ZeuS will add itself to the list, typically as 'ntos.' But this name may, of course, change at any time. Some anti-spyware will monitor this key for changes. Whenever anti-malware alerts the user about a change, the user should be highly suspect. But frequently, the alert is quite cryptic."
There are other "less technical ways" to detect the botnet, he said. "For example, the bot may inject additional pages into online banking login screens. If the user is all of a sudden asked for a secret question, Social Security number or other unusual items during the login process, abort the login, and call your bank or try the login from another computer."
Evers of McAfee said users should "practice common sense," including "don’t click on suspicious links in e-mail, instant messages or those that arrive via social media," such as Facebook or Twitter.
"Running a scan of your machine should let you know if you’re infected," he said. "You can use the McAfee Cybercrime Response Unit at no cost to run a scan and get help if you think you might be the victim of a cybercrime. The Cybercrime Response Unit is available to anyone in the U.S. at no cost."
