Kneber Botnet Infects 75,000 Corporate, Government Computers

February 18, 2010, 09:17 AM EST

The virus, a version of the Zeus botnet called "Kneber" because of the user name that links the infected systems, gathers login credentials to online financial systems, social networking sites and email systems, NetWitness said Thursday, and "reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities."

NetWitness, based in Herndon, Va., said it discovered the botnet last month during a routine deployment of its monitoring software. It investigated further and discovered "an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines," the company said in a statement.

NetWitness said the attacks have been going on for about 18 months and appeared to originate in Europe and China. The company has shared its findings with the targeted companies and government agencies.

The company did not publicly identify the companies and government agencies with infected systems. A story in The Wall Street Journal said pharmaceutical maker Merck & Co. and Cardinal Health Inc. were among the companies with infected IT systems and those companies had contained the problem.

"Systems compromised by this botnet provide the attackers with not only user credentials and confidential information, but remote access inside the compromised networks," NetWitness CEO Amit Yoran said in the statement.

"These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew, quietly and diligently target and compromise thousands of government and commercial organizations across the globe," Yoran said.

Rick Whiting

Rick Whiting has been with CRN since 2006 and is currently a feature/special projects editor. Whiting manages a number of CRN’s signature annual editorial projects including Channel Chiefs, Partner Program Guide, Big Data 100, Emerging Vendors, Tech Innovators and Products of the Year. He also covers the Big Data beat for CRN. He can be reached at rwhiting@thechannelcompany.com.