Tags: Aurora, Botnets, China, Google, Malware.

The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together.

When it comes to the command and control infrastructure, maybe it’s that some obfuscated the domain names while others published them, but with a domain on the blog post that’s not in technical write up. Maybe it is that some have significantly bigger lists than others (that include duplicates as well as the root domain for a dynamic dns provider that hands out sub-domains).

Maybe it is that some name domains that hosted the exploit but do not provide details on C&C’s that compromised hosts check-in with. Maybe the difference between the long lists and short lists is that some are including “copycats” — sites that host the IE exploit. Since “Aurora” is now being used to refer to the specific attack on Google, the 0day vulnerability in Internet Explorer (that was apparently used), and the malware that was apparently dropped by the exploit (Hydraq) interchangeably it is difficult to get a handle on exactly what is what.

Google says the attacks were “highly sophisticated and targeted” (as does McAfee, Mandiant, and iDefense) while Damballa says that it was the work of amateurs, Dancho Danchev says that “[i]t’s in fact [an] average team” and Mikko Hypponen says “[t]his wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” OK, well, that’s quite the continuum of “sophistication.” Back to that in a bit.

Attribution? The New York Times reported that the attacks were traced to two schools in China: Shanghai Jiaotong University and the Lanxiang Vocational School. While some have drawn links between these schools and the Chinese military others cast doubt on it. The Financial Times reportsthat “a freelance security consultant in his 30s” in China wrote (part of) the Internet Explorer exploit but “is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts.” Hmm. OK. Mandiant indicated that the quality of the exploit points toward some kind of relationship with the Chinese state, while iDefense, looking at the command and control infrastructure, pretty unambiguously states that the Chinese State was being the attacks whether or not “amateurs” were used.

So here we are at the crossroads of the exploit, the malware, and the command and control infrastructure. And as Richard Bejtlich points out there’s more to it than just the technical aspects of malware, there is, as Mike Cloppert describes, a range of indicators that allow one to characterize the adversary behind the attacks. Clearly, most of us relying on public sources do not have a sufficient level of detailed information to analyse the attack on Google with such depth.

This brings me back to the Damballa report. I really liked this report because is focused on the command and control infrastructure, it was based on interesting data collected via passive DNS data collection and included many interesting conclusion and enough detail to begin connecting their data with other publicly available data. In fact, one of the most interesting observations for me was evidence that the DNS resolutions indicate that Google China was compromised first, followed by Google in Mountain View some 17 hours later. Still, there are parts of the report that are confusing to me.

The Damballa report starts by looking at “five CnC domain names associated with the Aurora botnet” that were publicly disclosed, however, these domain names are not explicitly stated in the report. The most seemingly authoritative list, from Symantec, for example, lists 7 domains. The starting point appears to be “blog1.servebeer.com”. This one is common to all lists (except Symantec’s technical write-up). The domain servebeer.com is a Dymanic DNS serverice offered by No-IP that allows people to register sub-domains such as “blog1.” Based on factors such as “DDNS credentials” Damballa linked the following domains together (four of which are not disclosed).

CnC_Domain.1
CnC_Domain.2
CnC_Domain.3
CnC_Domain.4
blog1.servebeer.com

At some point each of the 5 domains above pointed at at least one of the “IP addresses associated with two of the CnC servers used during the Aurora attack.” The IP’s were not disclosed. Therefore, I am not entirely sure of how the next group of domain names are linked.

baltika1.servebeer.com
m7been.zapto.org
miecros.info
mcsmc.org
yahoo.blogdns.net
filoups.info
google.homeunix.com

While the last 2 domains (filoups.info and google.homeunix.com) appear on the US CERT list of “Aurora” domains, the first 5 domains (baltika1.servebeer.com, m7been.zapto.org, miecros.info, mcsmc.org, and yahoo.blogdns.net) do not.

Damballa then links this second group to “two distinct families of Fake AV Alert / Scareware: Login Software 2009 and Microsoft Antispyware Services.”

Fake AV Alert / Scareware
mcsmc.org
micronetsys.org
mnprfix.cn
filoups.info
miecros.info

Fake Microsoft Antispyware
ec2-79-125-21-42.eu-west-1.compute.amazonaws.com
ip-173-201-21-161.ip.secureserver.net
inekoncuba.inekon.co.cu
google.homeunix.com
yahoo.blogdns.net
voanews.ath.cx
ymail.ath.cx

So, filoups.info links the “Fake AV Alert / Scareware” to the US CERT list of “Aurora” domains and google.homeunix.com links the “Fake Microsoft Antispyware” to the US CERT list of “Aurora” domains. Both appear in Damballa’s second cluster (which has an unclear relationship with the first cluster).

Using the Damballa list along with samples from ThreatExpert I compiled a list that included a few additional domain names. I included domain names that the individual piece of malware requested that had similar paths to those identiofied by Damballa and excluded those that appeared to be other malware or SEO URLs.

For example, one sample contains google.homeunix.com, yahoo.blogdns.net, tyuqwer.blogdns.com, and tyuqwer.dyndns.org. The domains google.homeunix.com and tyuqwer.dyndns.org appear on the US CERT list, yahoo.blogdns.net appears on the Damballa list and tyuqwer.blogdns.com appears on neither. Another sample contains google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org and voanews.ath.cx. All of these domains appear on the US CERT list google.homeunix.com and voanews.ath.cx appear on the Damballa list.

The next grouping largely focuses on “mcsmc.org” abnd the domain names that apear with it and request similar URL paths but are not in the Damballa report.

virtualmits.com
syswa.cn
thcway.info
searchnix.info
wscntgy.com
google-analitics.in
licagreem.in
jusched.in

The relationships between the domains can be built our further, especially if we include common IP addresses. I think this indicates that there are a variety of conclusion being drawn based on data that comes bundled with a variety of assumptions. For example, is the sample detailed by Symatec the same — as opposed to similar to — the one used in attack on Google? How were these “master” lists — such as the one by US CERT created? How were these domains bundled together?

In the Damballa report in particular there are a few additional assumptions that I am not entirely sure of. First, I’m not sure that DDNS == amateur. Many of the targeted attack on civil society and human rights groups I’ve looked at used DDNS. And while many DDNS providers do cooperate with the security industry and law enforcement, the ones in China (like 3322.org) don’t. Moreover, I’m not sure that “amateur” necessarily excludes state involvement — even governments can engage in behaviour that would be considered amateurish. And would you want to tip off state involvement by being uber3l33t? The logic just starts to become circular after a while, especially if you only focus on the technical aspects.

I mean, if we take Google at their word and believe that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” how do we explain the connection to (probably Eastern European) SEO and related common malware?

Even if we assume that the “master” list is accurate, Damballa does raise some alternative explanations for the association between the two:

* it is possible that two different groups purchased the services of the same crimeware group (probably the same people behind Operation Aurora) to distribute and manage their malware family. Or the crimeware group rented out different variants of the same malware to different groups with different intentions.
* There is no natural progression seen between the two families. Usually malware writers evolve in both technology and protection of their creation but these two families did not show any related evolution. The malware families appear to exist independently, and then become superseded by Trojan.Hydraq.

The relationship between crimeware — or common botnet operators/kits — and targeted malware attacks in order to extract sensitive data (some might call this espionage) is something I tried to explore in “The “Kneber” Botnet, Spear Phishing Attacks and Crimeware.” Again, given the lack of precise data I don’t claim to know what’s going on in the Google case — in fact, I may have just made it worse with this post. But if we accepts the links that Damballa has found to be accurate it does raise the important issue of the relationship between crimeware and espionage.

But, maybe, we’re jumping to conclusions based on faulty assumptions. I just don’t know. It is still a mess.

Introduction

Targeted attacks, known as “spear phishing,” are increasingly exploiting government and military themes in order to compromise defense contractors in the Unites States. [1] In 2009, the Washington Post reported that unknown attackers were able to break into a defense contractor and steal documents pertaining to the Joint Strike Fighter being developed by Lockheed Martin Corp. [2] Google was compromised in January 2010 along with other hi-tech companies and defense contractors. [3] The problem is becoming increasingly severe. [4] In fact, the Department of Defense recently released a memo with plans to protect unclassified information passing through the networks of various contractors. [5] The memo recognizes the severity of the ongoing threat and seeks to:

Establish a comprehensive approach for protecting unclassified DoD information transiting or residing on unclassified DIB information systems and networks by incorporating the use of intelligence, operations, policies, standards, information sharing, expert advice and assistance, incident response, reporting procedures, and cyber intrusion damage assessment solutions to address a cyber advanced persistent threat. [5]

Netwitness revealed the existence of a Zeus-based botnet that had compromised over 74,000 computers around the world. Zeus is not a single botnet, rather it is a malware kit that allows anyone to easily create a botnet. It sells for $400 – $700 although there are older (and pirated) version that cost considerably less or are publicly available for download. [6] Typically, the Zeus malware is used to steal banking credentials. [7] Because of the proliferation of the Zeus kit there are a wide variety of actors using Zeus – there is no single Zeus botnet, there is no one group behind the attacks. [8] In fact, botnet operators will often use multiple types of malware. [9]

Netwitness found that the command and control infrastructure for this botnet was primarily based in China and most of the compromised computers were in Egypt, Mexico, Saudi Arabia, Turkey and the United States. In addition to stealing banking credentials, attackers are now targeting the social networking credentials of members of the government and military as well as the employees of Fortune 500 companies. Netwitness revealed that many of the US compromises included government networks as well as Fortune 500 enterprises. [10] News reports revealed that ten U.S government agencies were compromised and several high profile companies were named including Merck, Cardinal Health, Paramount Pictures and Juniper Networks. [11]

The use of crimeware infrastructure for spear phishing attacks is certainly not a new development. Anti-Virus (AV) companies and members of the security community have downplayed the Kneber botnet suggesting that there has long been AV protection for this type of attack and that there is nothing particularly new about this botnet. [12] Furthermore, they argue that Kneber is not a particularly large Zeus-based botnet either, implying that the Kneber botnet is not deserving of the attention it has received. [13] While the media attention paid to the Kneber botnet has often been alarmist and sometimes inaccurate, the anti-virus coverage of the malware used in this attack was low (18/41 on Virustotal) — despite the fact that it was the well known Zeus malware kit. The way in which some are suggesting that AV has long protected users from this threat is troubling. Moreover, focusing solely on Zeus and not additional malware downloaded after Zeus obscures the relationship between generic and targeted attacks.

These events indicate that attacks that are often considered to be criminal in nature, such as the targeting of banking credentials of individuals, also pose persistent threats to those in the government and military sectors. Moreover, it is well understood that these attackers aim to maximize their financial gain from such attacks. If the data ex-filtrated is not simply bank account and credit card numbers but also credentials that can be used to access the internal networks of the victims, why wouldn’t they also sell that information? [14] As Netwitness states:

They are well organized, have demonstrated technical sophistication on par with many intelligence services and do not forgo the opportunity for financial gain with the the information they collect. If they are collecting network credentials, it means they are using or selling them in an active underground economy – which may include sponsoring foreign intelligence services. What is easier? Designing a campaign like Operation Aurora, or simply purchasing access to your target companies? [15]

Moreover, Netwitness suggests that the attackers may have been after data other than simply banking, credit card or social networking credentials. In response to the critique from the security and AV community, Netwitness stated that “trivializing the damage done is simply disingenuous by anyone who has seen the types of data stolen from threats such as these.” [16] This implies that the data ex-filtrated by the attackers may have been particularly sensitive. In fact, the Wall Street Journal reported that:

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products. [17]

One can understand the AV and security communities skepticism. Zeus, after all, is very well known. However, our investigation found that not only were there high profile compromises, as suggested by Netwitness, but that the focus of the attack appears to have been the extraction of sensitive information,not just banking credentials.

IWM Investigation

Our investigation focused on a spear phishing campaign that is linked with the Kneber botnet that represents only a small portion of the Kneber botnet. We focused on a case in which the attackers took portion of blog posts by authors Brian Krebs and Jeff Carr (two prominent members of the security community) and used them as the content of their malicious emails. Numerous individuals with .gov and .mil email addresses were sent these spoofed emails that prompted them to download a security fix for Microsoft Windows. Our investigation revealed that Zeus was being used to infect targets within the government and military sectors with second instance of malware designed to ex-filtrate data from the compromised computers.

Instead of simply stealing banking, credit card and social networking credentials, the Zeus malware downloaded an additional piece of malware on to the compromised machines which focused on ex-filtrating sensitive documents. We found that at least 81 compromised computers that had uploaded a total of 1533 documents to the drop zone. We found sensitive contracts between defense contractors and the U.S. Military, documents relating to, among other issues, computer network operations, electronic warfare and defense against biological and chemical terrorism. We found the security plan for an airport in the Unites States as well as documents from a foreign embassy as well as a large UN-related international organization. In addition, the personal computers of employees with security clearances who work for a variety of companies and government agencies were compromised.

The sensitive data obtained from these attacks will likely be used to exploit these targets further as well as those within the targets’ social network. The contact information and documents obtained by the attacker will likely be used for further “spear phishing” attacks. But these attacks may signify the growing involvement of crimeware in targeted malware attacks for the purposes of extracting sensitive information that can be exploited for intelligence purposes . The profile of the organizations that were compromised and the nature of the ex-filtrated data indicate that the goal of these attacks was not simply stolen banking credentials – the typical target of the Zeus malware.

Furthermore, this case poses challenges to methods of attribution that interpret the geo-political motivation of the attackers and assess the geographic location of the attackers’ command and control infrastructure. Were these attacks simply part of an ongoing Zeus crimeware campaign? Or does the composition of the targets and the content of the ex-filtrated data indicate that this is less a case of crimeware and more a case of espionage? There is no easy answer.

A more detailed examination of our investigation

On February 6, 2010, Brian Krebs reported that attackers using the Zeus trojan targeted a variety of .gov and .mil email addresses in a spear phishing attack that appeared to be from the National Security Agency and enticed users to download a report called the “2020 Project.” [18]

Following the publication of the article by Brian Krebs, attackers took portions of his article and used them as lure in further spear phishing attacks. [19] Sophos Labs analyzed the sample that used Kreb’s post. [20] A post on Intelfusion.com by Jeff Carr regarding the spear phishing attack was also used in another attack. [21] The attackers used the blog posts of these individuals and spoofed their email addresses in order to make their malware seem convincing to the recipients of the spear phishing attack.

Spear Phising Email

From: jeffreyc@greylogic.us [mailto:jeffreyc@greylogic.us]
Sent: Wednesday, February 10, 2010 7:34 AM
To: [REDACTED]
Subject: Russian spear phishing attack against .mil and .gov employees

Russian spear phishing attack against .mil and .gov employees

A “relatively large” number of U.S. government and military employees are being taken in by a spear phishing attack which delivers a variant of the Zeus trojan. The email address is spoofed to appear to be from the NSA or InteLink concerning a report by the National Intelligence Council named the “2020 Project”. It’s purpose is to collect passwords and obtain remote access to the infected hosts.

Security Update for Windows 2000/XP/Vista/7 (KB823988)

About this download: A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft(r) Windows(r) and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Download:

http://fcpra.org/downloads/winupdate.zip

or

http://www.sendspace.com/file/tj373l

__________

Jeffrey Carr is the CEO of GreyLogic, the Founder and Principal
Investigator of Project Grey Goose, and the author of “Inside Cyber Warfare”.
jeffreyc@greylogic.us

According to a further post on Intelfusion.com, the header information from the email reveals that there were two email addresses used to send the malicious email nobody@abe.enixns.com and w63697@uw03.uniweb.no. [22]

This email was sent to .mil and .gov email addresses, including those at the following locations: [23]

Executive Office of the President
Office of the U.S. Trade Representative
US Agency for International Development
Dept of Agriculture
Department of the Interior
Department of Transportation
Federal Aviation Administration
Department of State
Department of Justice
US Marine Corps
Marine Corps Intelligence Activity
US Navy
Advanced Traceability and Control Program
Department of Defense
US Joint Forces Command
White House Military Office
Defense Logistics Agency
Defense Security Service
US Pacific Command
Joint IED Defeat Organization
Defense Logistics Agency
Defense Intelligence Agency
Defense Finance and Accounting Service

Malware Analysis

The following is an analysis of the malware sample downloaded from:

http://fcpra.org/downloads/winupdate.zip

(The malware samples at http://www.sendspace.com/file/tj373l and http://mv.net.md/update/update.zip were identical).

The malware sample was contained in a ZIP file:

MD5: 4fc8bb3fd8634085423e6e25448acfe1
Filname: winupdate.zip
Virustotal: 6/41 (14.63%)

http://www.virustotal.com/analisis/907f50968b1c324dd37cf545959b119a75fc93aee35a4b92d5b51803ecbfa4f5-1265821180

Opening the ZIP file reveals an executable:

MD5: 7c0d0a771a39a83a691ffb2e3b810e0a
Filename: KB823988.exe
Virustotal: 18/41 (43.90%)

http://www.virustotal.com/reanalisis.html?907f50968b1c324dd37cf545959b119a75fc93aee35a4b92d5b51803ecbfa4f5-1265991887

http://www.threatexpert.com/report.aspx?md5=7c0d0a771a39a83a691ffb2e3b810e0a

After running the executable, attempts are made to connect with a command and control server located in China over HTTP:

updatekernel.com
115.100.250.105

Screen capture of Zeus login page on updatekernel.com.

The command and control server is a known Zeus C&C server.[24] There are a wide variety of malware kits and associated domain names hosted on this server, as well as several neighbouring servers.[25] The following are active domain names on the same server (115.100.250.105).

Dancho Danchev has linked the email address “abuseemaildhcp@gmail.com” to a variety of criminal enterprises including “money mule recruitment” operations. [26] Netwitness indicated that there is a link between the “Kneber” botnet. The Knerber botnet is named after the email address used to register the command and control domain names, “hilarykneber@yahoo.com”. This email address has been linked to past crimeware activity as well. [27] The link between the domains registered to “abuseemaildhcp@gmail.com” and those registered to “hilarykneber@yahoo.com” appears to be a common command and control infrastructure.

There are two domain names www.globalunitrack.com and www.aeroninc.com both resolve to 59.53.91.102 which is where portions of the Kneber botnet are hosted. These domain names are also hosted on 115.100.250.105 which is where updatekernel.com is hosted.

There are also domain names registered by both email addresses hosted on the same IP addresses.

91.213.174.50
netname: VolgaHost
descr: PE Bondarenko Dmitriy Vladimirovich
country: RU

61.235.117.72
netname: CRGdSzS
country: CN
descr: China Railcom Guangdong Shenzhen Subbranch

There are a variety of other interesting connections between “stallvars” domain names and other email addresses which indicate that there are further connections between the domain names and IP infrastructure used by the attackers. [28] This particular botnet extends beyond just the domains registered by “hilarykneber@yahoo.com.”

Configuration File

The compromised machine downloads a Zeus configuration file. In this case the file was downloaded from:

GET /imgpic/x18d2/d8x16/x98x10.bin
Host: updatekernel.com

The decrypted contents of this file contain the typical banking services that Zeus targets. When visiting these sites Zeus adds additional fields to capture information from the compromised user. It also changes DNS setting for the domains of antivirus products to prevent users from receiving updates.

http://updatekernel.com/dbbck/fts.exe

http://updatekernel.com/templtes/a16ext/int3xs/s.php

http://updatekernel.com/imgs/clprof/rbs28.bin

https://www.gruposantander.es/*

https://internetbanking.gad.de/*/portal?bankid=*

https://www.vr-networld-ebanking.de/index.php?RZKZ=*&RZBK=*

https://finanzportal.fiducia.de/*?rzid=*&rzbk=*

https://*.banking.first-direct.com/*

https://banking.*.de/cgi/ueberweisung.cgi/*

*&tid=*
*&betrag=*

https://internetbanking.gad.de/banking/*

KktNrTanEnz

https://cipehb*.cdg.citibank.de/HomeBanking*?_D=WorkArea&*

https://www.vr-networld-ebanking.de/ebanking*Action=*

Schmetterling

https://finanzportal.fiducia.de/ebanking*Action=*

Schmetterling

https://finanzportal.fiducia.de/ebbg2/portal?token=*

*decBetrag=*
value_*

https://onlinebanking.norisbank.de/norisbank/*.do?method=*

https://www.dresdner-privat.de/servlet/*

*&CMD=stapelFreigeben&*

https://brokerage.comdirect.de/servlet/*TAN*

*transactionID=*

After the “check in” with the command and control server, another executable was downloaded:

MD5: fb82af794544359ee89c17d096fa35b7
Filename: stat.exe
Virustotal: 5/41 (12.20%)

http://www.virustotal.com/analisis/1336bca82ba370c8cf0967ed192cb1865e4f943fbb4ea4e2f6c2c9b98eb43723-1265964848

http://www.threatexpert.com/report.aspx?md5=fb82af794544359ee89c17d096fa35b7

Drop Zone

After running the executable, attempts are made to connect with a drop zone located in Belarus over FTP:

packupdate.com
86.57.246.177

After connecting to the drop zone, the following files were uploaded from the compromised computer to the drop zone:

• _C.dll – list fo files and directories in the “C:\” directory
• EXCEL9.XLS – blank excel document
• _hslib.dll – unique id for compromised computer
• _users.dll – list of users on the compromised computer
• WINWORD8.DOC – blank word document

The FTP server revealed that there were at least 81 compromised computers that had uploaded a total of 1533 documents to the drop zone.

While we did not find any classified data, there was sensitive information regarding contracts with private firms as well as government/military entities and project information including budgets and supplementary documentation from government/military sources. The data includes unclassified, but sensitive, documents on latest threats from law enforcement services around the world. There were also procedural documents, such as an airport’s security plan.

There were also several computers compromised that belong to individuals that hold Top Secret (SSBI) clearances. In addition, computers were compromised that belong to individuals that contain documents regarding “privileged” military documents. The personal computer of an investigator that conducts security clearance investigations was also compromised.

Conclusions

Despite the fact that no classified information appears to have been obtained, the data captured is valuable to the attackers. At a minimum the attackers can use the contacts and information in these documents to further exploit the targets. Social engineering, rather than technical proficiency, is what enables attackers to compromise these high value targets. Expect to see these documents used as malicious exploits targeted those who would be familiar with or interested in them.

The identity of the targets compromised in this attack, the focus on ex-filtrating data, and the content of the documents indicates that crimeware may be moving into the espionage industry and/or providing command and control infrastructure for those engage in such activities. While Zeus is normally associated with capturing banking and other credentials, it is being used to deliver a payload that focuses on extracting sensitive data. The use of a well known malware kit such as Zeus and crime-focused command and control infrastructure may be obscuring the nature and intent of the attackers. If this trend is in fact occurring, the use of crimeware infrastructure significantly impacts traditional methods of determining motivation and attribution in espionage investigations.

About Information Warfare Monitor

The Information Warfare Monitor is an advanced research activity tracking the emergence of cyberspace as a strategic domain. We are an independent research effort. Our mission is to build and broaden the evidence base available to scholars, policy makers, and others. We aim to educate and inform.

The Information Warfare Monitor is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in a Ottawa (Canada). The Secdev Group conducts field-based investigations and data gathering. Our advanced research and analysis facilities are located at the Citizen Lab.

Notes:

[1] http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
[2] http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html
[3] http://www.wired.com/threatlevel/2010/01/google-hack-attack/
[4] http://www.businessweek.com/technology/content/jul2009/tc2009076_873512.htm
[5] http://www.dtic.mil/whs/directives/corres/pdf/520513p.pdf
[6] http://www.damballa.com/downloads/d_pubs/WP%20Many-to-Many%20Botnet%20Relationships%20(2009-05-21).pdf
[7] For a technical discussion see http://www.abuse.ch/?p=1192 , http://blog.threatexpert.com/2009/09/time-to-revisit-zeus-almighty.html and http://www.m86security.com/labs/i/Zbot-In-Your-Inbox,trace.1005~.asp
[8] http://www.fortiguard.com/analysis/zeusanalysis.html
[9] http://www.darkreading.com/security/client/showArticle.jhtml?articleID=217800596
[10] http://www.netwitness.com/resources/kneber.aspx
[11] http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html http://www.nytimes.com/2010/02/19/technology/19cyber.html http://blogs.zdnet.com/security/?p=5508
[12] http://www.symantec.com/connect/fr/blogs/kneber-zeus
[13] http://www.krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/, http://blogs.zdnet.com/security/?p=5508, http://pandalabs.pandasecurity.com/kneber-another-bot-yet/, http://blog.scansafe.com/journal/2010/2/18/zeus-kneber-botnet-cache-discovered.html, http://www.sophos.com/blogs/gc/g/2010/02/19/zeus-kneber-botnet-unmasked/, http://blog.threatfire.com/2010/02/a-zbot-botnet-dubbed-kneber.html, http://www.symantec.com/connect/fr/blogs/kneber-zeus, http://www.f-secure.com/weblog/archives/00001887.html
[14] See, comment by Brian Krebs, http://www.krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/
[15] http://www.networkforensics.com/2010/02/18/move-over-china-here-comes-russia/
[16] http://www.networkforensics.com/2010/02/19/kneber-update/
[17] http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html
[18] http://www.krebsonsecurity.com/2010/02/zeus-attack-spoofs-nsa-targets-gov-and-mil/
[19] http://www.krebsonsecurity.com/2010/02/warning-about-zeus-attack-used-as-lure/
[20] http://www.sophos.com/blogs/sophoslabs/?p=8654
[21] http://intelfusion.net/wordpress/2010/02/08/russian-spear-phishing-attack-against-mil-and-gov-employees/
[22] http://intelfusion.net/wordpress/2010/02/11/define-irony-a-phishing-attack-disguised-as-a-warning-from-an-infosec-author-about-a-phishing-attack/
[23] http://intelfusion.net/wordpress/2010/02/19/u-s-government-departments-and-agencies-hit-by-the-zeus-trojan/
[24] https://zeustracker.abuse.ch/monitor.php host=updatekernel.com&id=7f6a3e6d82935254f0eafd9dc4fa450a
[25] http://www.malwaredomainlist.com/mdl.php?search=115.100.250.&colsearch=All&quantity=50
[26] http://ddanchev.blogspot.com/2009/11/keeping-money-mule-recruiters-on-short.html, http://ddanchev.blogspot.com/2009/10/standardizing-money-mule-recruitment.html, http://ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.html
[27] http://ddanchev.blogspot.com/2009/12/celebrity-themed-scareware-campaign_07.html
[28] http://www.malwareurl.com/search.php?domain=&s=stallvars&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

NetWitness said in a release that it had discovered the program last month while the company was installing monitoring systems. The company named it the Kneber botnet based on a username that linked the infected systems. The purpose appears to be to gather login credentials to online financial systems, social networking sites and e-mail systems, and then to transmit that information to the system’s controllers, the company said.

The company’s investigation determined that the botnet had been able to compromise both commercial and government systems, including 68,000 corporate login credentials. It has also gained access to e-mail systems, online banking accounts, Facebook, Yahoo, Hotmail and other social network credentials, along with more than 2,000 digital security certificates and a significant cache of personal identity information.

“These large-scale compromises of enterprise networks have reached epidemic levels,” said Amit Yoran, chief executive of NetWitness and former director of the National Cyber Security Division of the Department of Homeland Security. “Cyber criminal elements, like the Kneber crew, quietly and diligently target and compromise thousands of government and commercial organizations across the globe.”

The company, which is based in Herndon, Va., noted that the new botnet made sophisticated use of a well-known Trojan Horse — a backdoor entryway to attack — that the computer security community had previously identified as ZeuS.

“Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information,” said Alex Cox, the principal analyst at NetWitness responsible for uncovering the Kneber botnet. “But that viewpoint is naïve. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS.”

Half of the machines infected with the Kneber botnet were also infected by an earlier botnet known as Waledec, the company noted.

The existence of the botnet was first reported by The Wall Street Journal, shortly before the company issued its news release.