Kneber botnet returns, steals sensitive government documents
Posted on 05.01.2011
The Kneber botnet is running and striking again - this time with a Christmas-themed electronic greeting card seemingly coming from The White House and targeting employees of various government offices and agencies.

“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission," says in the e-mail. Two links to the greeting card are offered, and the message is signed with "Executive Office of the President of the United States".


Unfortunately for the victims, clicking on the links and saving the offered file actually downloaded two pieces of malware on their computers: a variant of the Zeus Trojan which began harvesting banking information and login credentials, and a custom Perl script that had been converted to an executable, whose tasks include searching through the computer hard drive for Word, Excel and PDF documents and sending them to a server located in Belarus.

According to Brian Krebs - who has had the chance to rifle through the bulk of the documents stolen during the attack - the list of victims seemingly includes employees of the National Science Foundation’s Office of Cyber Infrastructure, Financial Action Task Force and Millennium Challenge Corporation, an intelligence analyst in the Massachusetts State Police, and an official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.

The Kneber botnet was first detected a year ago by researchers from security firm NetWitness, and presented the same modus operandi as it does now. Back then, it managed to compromise some 75,000 systems in 2,500 commercial and government organizations around the world, and stole corporate login credentials, access to email systems and online banking sites, social networking credentials, SSL certificate files, and dossier-level data sets on individuals.

But the thing that troubles Alex Cox, NetWitness' principal research analyst, the most, is the fact that this attack was so successful despite using practically the same payload as the year before. "We see new attacks all the time, but what surprised me here was that Kneber has been known for about a year, but people are still getting infected," he said to ComputerWorld.

He also speculated about the possible motives behind the attack (financial, intelligence to be sold or used for facilitating further attacks), but also admitted that they don't know why the attackers are collecting the information.






Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //