NetWitness Discovers Massive ZeuS Compromise
Herndon, VA — February 18, 2010
"Kneber Botnet" Targets Corporate Networks and Credentials
NetWitness, the world leader in advanced persistent threat detection and real-time network forensics, announced today that its analysts have discovered a dangerous new ZeuS botnet affecting 75,000 systems in 2,500 organizations around the world. The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities.
NetWitness first discovered the Kneber botnet in January during a routine deployment of the NetWitness advanced monitoring solutions. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines.
Discussing the importance of the Kneber botnet, Amit Yoran, CEO of NetWitness and former Director of the National Cyber Security Division, said, "While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet. These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew quietly and diligently target and compromise thousands of government and commercial organizations across the globe. Conventional malware protection and signature based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats. Organizations which focus on compliance as the objective of their information security programs and have not kept pace with the rapid advances of the threat environment will not see this Trojan until the damage already has occurred. Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks."
"Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information," stated Alex Cox, the Principal Analyst at NetWitness responsible for uncovering the Kneber-bot, "but that viewpoint is naive. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS and consider more diverse mission objectives."
Over half the machines infected with Kneber also were infected with Waledac, a peer to peer botnet. The coexistence of ZeuS and Waledac suggests the goals of resilience and survivability and potential deeper cross-crew collaboration in the criminal underground.
"NetWitness enables the discovery of malicious code like Kneber - before things get critical and valuable data is lost," said Cox. "It is 100% certain that many organizations have no idea they are victimized by these types of problems because they're just not tooled to see them on their networks. The Kneber botnet is just one category of advanced threat that organizations have been facing the past few years that they are still largely ignorant or blind to today."
To download a copy of the NetWitness Kneber whitepaper, visit http://www.netwitness.com.
About EMC
EMC Corporation (NYSE: EMC) is the world’s leading developer and provider of information infrastructure technology and solutions that enable organizations of all sizes to transform the way they compete and create value from their information. Information about EMC’s products and services can be found at www.EMC.com.
EMC, RSA, enVision, Data Loss Prevention Suite, are registered trademarks; RSA CyberCrime Intelligence Service and Archer eGRC platform are trademarks of EMC Corporation. All other product and company names herein may be trademarks of their respective owners.
This release contains “forward-looking statements” as defined under the Federal Securities Laws. Actual results could differ materially from those projected in the forward-looking statements as a result of certain risk factors, including but not limited to: (i) adverse changes in general economic or market conditions; (ii) delays or reductions in information technology spending; (iii) our ability to protect our proprietary technology; (iv) risks associated with managing the growth of our business, including risks associated with acquisitions and investments and the challenges and costs of integration, restructuring and achieving anticipated synergies; (v) fluctuations in VMware, Inc.’s operating results and risks associated with trading of VMware stock; (vi) competitive factors, including but not limited to pricing pressures and new product introductions; (vii) the relative and varying rates of product price and component cost declines and the volume and mixture of product and services revenues; (viii) component and product quality and availability; (ix) the transition to new products, the uncertainty of customer acceptance of new product offerings and rapid technological and market change; (x) insufficient, excess or obsolete inventory; (xi) war or acts of terrorism; (xii) the ability to attract and retain highly qualified employees; (xiii) fluctuating currency exchange rates; (xiv) litigation that we may be involved in; and (xv) other one-time events and other important factors disclosed previously and from time to time in EMC’s filings with the U.S. Securities and Exchange Commission. EMC disclaims any obligation to update any such forward-looking statements after the date of this release.