Russian Kneber Zeus BotNet
Alex Cox had an exceptional report last week on the Russian Kneber Zeus Botnet in the Netwitness webinar, “The Russians (and a Horde of Others) are Coming!” Netwitness is the company that detected and exposed the Kneber Botnet.
Alex started the webinar by taking a look at the source of Russian cyber crime. Russia’s history of organized crime started with the “Gulags” of USSR. Russian computer crime originated with the cracking of software copy protection so programs could be easily pirated. But in 1994, the “Vladimir Levin” Citibank financial fraud case was the birth of Russian cyber crime.
Alex investigated the factors behind Russian Cyber crime. Russia has a large pool of unemployed IT workers. This coupled with loose cybercrime laws has led to a breeding ground of sorts for the Russian underground. But there is also a more sinister, anti-American undertow to the Russian cyber attacks. Alex found ads on Russian credit card theft sites that stated, “We will recreate historical fairness” and “We will bring the USA down to the level of 1928-1933”. Russian cybercriminals seem to be trying to right some perceived wrongs of the past.
Alex explained how the Russian spammers and Botnet creators work together to increase their profits. This includes renting machine use and Botnet time. They also work together to provide a “fault tolerance” to infected machines. Spammers will infect machines with botnets, and vice versa. Many times an Anti-virus program will only detect one half of the infection. Thus, if the spamming software is removed, the botnet will re-infect the machine with the spam software. This creates almost a self infecting symbiotic relationship.
Zeus itself is focused on stealing financial information. According to Alex, the Kneber strain of Zeus is very specialized to steal credentials. In the one month that the Botnet was monitored, they discovered that 74,000+ systems were compromised. 68,000 credentials and 2000 SSL certificate files were stolen. Over 2,400 public and private businesses were affected. This included aerospace, healthcare, Oil and Gas, telecommunication and financial services.
Kneber also stole information from protected storage in Internet Explorer. This is where your passwords are stored if you allow IE to save your passwords. Netwitness also found that tax information was stolen, including such personal information as social security numbers, addresses and even names of children. And this was just the one month that it was monitored, the Botnet was said to be active for a year or more.
Alex mentioned that with the modification of Zeus to go after sign on credentials, this lead him to believe that the backing of the Botnet could be nation-sponsored or radical/ extremist groups.
Alex wrapped up the seminar with explaining how to stop Kneber and other botnets. Anti-virus alone will not do the trick. According to the webinar, Anti-virus software only had about a 10% chance of detecting Kneber due to obfuscation. Obfuscation is the modifying of virus and Trojans so they do not trigger signature based anti-virus engines.
These advanced spammers and botnets also use random communication techniques which make them hard to detect. Pattern sensing and packet capturing programs are needed to detect and eliminate these threats. New traffic patterns and connections to new sites must be investigated.
See Netwitness for more info and their Investigator freeware download.