“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission," says in the e-mail. Two links to the greeting card are offered, and the message is signed with "Executive Office of the President of the United States".
Unfortunately for the victims, clicking on the links and saving the offered file actually downloaded two pieces of malware on their computers: a variant of the Zeus Trojan which began harvesting banking information and login credentials, and a custom Perl script that had been converted to an executable, whose tasks include searching through the computer hard drive for Word, Excel and PDF documents and sending them to a server located in Belarus.
According to Brian Krebs - who has had the chance to rifle through the bulk of the documents stolen during the attack - the list of victims seemingly includes employees of the National Science Foundation’s Office of Cyber Infrastructure, Financial Action Task Force and Millennium Challenge Corporation, an intelligence analyst in the Massachusetts State Police, and an official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.
The Kneber botnet was first detected a year ago by researchers from security firm NetWitness, and presented the same modus operandi as it does now. Back then, it managed to compromise some 75,000 systems in 2,500 commercial and government organizations around the world, and stole corporate login credentials, access to email systems and online banking sites, social networking credentials, SSL certificate files, and dossier-level data sets on individuals.
But the thing that troubles Alex Cox, NetWitness' principal research analyst, the most, is the fact that this attack was so successful despite using practically the same payload as the year before. "We see new attacks all the time, but what surprised me here was that Kneber has been known for about a year, but people are still getting infected," he said to ComputerWorld.
He also speculated about the possible motives behind the attack (financial, intelligence to be sold or used for facilitating further attacks), but also admitted that they don't know why the attackers are collecting the information.