The Skinny on the Kneber Botnet
"The way I look at it is a single compromised PC inside a network is potentially a foothold and if you look at historically the way some of these compromises have occurred in the past, that is typically the way they start" Alex Cox, principal analyst at the IT security firm NetWitness, said in an interview with GovInfoSecurity.com (transcript below). "You get a single foothold inside a network and then pivot off of that foothold into other places in the network."
Cox said that's how Operation Aurora - the assault on IT systems of Google, Intel and other company - got started. "They got one machine and then got all the machines they needed," Cox said. "Saying my organization only has one compromised host to make yourself feel better really isn't realistic because that is the root of the compromise really."
In an interview, Cox describes:
Cox was interviewed by Eric Chabrow, GovInfoSecurity.com managing editor.
ERIC CHABROW: What is the Kneber botnet and how does it work?
ALEX COX: The Kneber is actually not a unique botnet. It is a botnet that we kind of identified as a member of the ZeuS Trojan family. We called it Kneber based on some of the information that we developed as we researching the compromise on the networks because of the use of an e-mail address, HillaryKneber@Yahoo.com, that was used to register some of the domains that were involved in the compromise.
CHABROW: How does it work?
COX: ZeuS has to be considered a key logger and it is more along the lines of a form logger, but it really has a lot of different capabilities. Typically, the way ZeuS is used is it injects form elements into logon pages so that miscreants can collect credential information and banking information and that sort of thing. That is then sent to a central connection control server or it is pushed into a database so they can access it as they want to.
That being said, it is not used just for financial fraud, it can really be configured to steal any kind of credential information. It can also run additional executables on it, compromise a host site and also pull, protect and store information out of, say, your Internet Explorer where an Explorer stores passwords when you tell it to save passwords. So it is really a kind of multiuse piece of malware that can steal all kinds of different information.
CHABROW: Do you have any idea of who may be behind this and who are its targets?
COX: Historically, ZeuS is believed to be of eastern European origin. It has been around for a while. The security research community generally believes that it is being maintained by eastern European cybercriminals. As far as directed attribution, it is always hard to do that.
CHABROW: There were a lot of attacks; how many have you counted so far?
COX: As far as compromised hosts in this particular incident, you have to remember that this is just a series of log data; 75 gigabytes worth of log data over a one month period, and that was mid-December through mid-January. There were close to 75,000 unique hosts in that log data, so at least 75,000.
CHABROW: At least 75,000 and I believe you were saying something like 2,500 different organizations were hit?
COX: Yes. When we mapped out the unique IDs to the organizations that were involved. We were looking at over 2,400 global organizations, so that is not just in the U.S., that is all over the world in various places. And they include corporations like financials, technology firms and government organizations as well as ISPs, so a lot of your home users on their home internet connections are probably included there as well.
CHABROW: Do you know what kind of government sites were being attacked?
COX: One of the things that we determined as we were researching this is some of the recent spear phishing attacks towards .gov e-mail addresses were involving the ZeuS Trojan as well. And when we did some malware analysis on those particular Trojans, what we found was that the commanding control servers and structures were the same as the ones that were result of this log data.
We were basically able to make a connection that not only were they involved in this worldwide collection of credential information, but also they were also actually doing some spear phishing targeted attacks towards the U.S. government.
CHABROW: Can you characterize the kind of information that people are trying to get?
COX: It is really hard to say because we didn't have access to the configuration file for ZeuS from when the logs were created. But when you look at the log data as a whole, what you see are a lot of things like social networking sites and e-mail sites and just credential information for various systems. There is a lot of social networking involved, but then there are just a lot of just various credentials for various sites.
What it kind of looks like is that they just open the net, they cast the net to see what they can get, and we found that somewhat significant because ZeuS is historically considered to be a banking Trojan, something that is used to steal banking credentials. And in fact, when we did malware analysis on the binaries that came down after the newer versions of ZeuS, after this log data that was discovered, the configuration actually was attacking a banking site. If you look in the white paper that we published, there is a big list of all of the banking sites that were listed in the config and so basically the bot had been reconfigured to look for login credentials for those banks.
CHABROW: But you said that it also is attacking government sites.
COX: In the log data that we have, there is indication of government sites that are affected with bots and then also the spear-phishing attacks directly against government e-mail addresses, so yes.
CHABROW: Walk us through a scenario of an attack that eventually leads to a government site.
COX: A really interesting comparison to make is the recent Aurora attacks with the Chinese involvement. One of the research findings that came out of that particular incident was that the cybercriminals used Facebook to infect their targets. And the way they did was they compromised friends of their target on Facebook and then they were able to send messages from the friend to the target and the target would be more likely to click on that message because it is from one of their friends on Facebook. So if you think about that perspective and using that kind of methodology to spread their malware, it gives them a tremendous amount of leverage.
The other thing to consider is that if I get access to an e-mail account, your e-mail accounts are typically used for all kinds of different authentication processes and signing up for access to various sites, I could potentially have access to a large number of other systems that may be interesting to me.
The way that that would kind of come back around to attacks is, say for example, that I have a web host, maybe I pay a monthly fee to have access to a web server that I put my blog up on. So a miscreant attacks my system, they get access to my e-mail account, they can then get access to my web hosting account and they can use my web host to host their malware.
It is kind of this multilevel compromise process that they can go through. There is a lot of value in not just banking credentials but credentials of all types because of the way that the connected systems work; you can just basically extend your compromise.
CHABROW: The people who are conducting this attack, is there any way you can determine what kind of damage to try to do say, federal government accounts, or are they just going in there and looking around? COX: It is really hard to say. From a money standpoint, with the banking attacks they are interested in getting access to bank accounts, transferring that money offshore and then using money mules to get access to that money.
From a government perspective it is really hard to say. There are a lot of rumors around online that foreign intelligence services sometimes work with these cybercriminals so you have the perspective of getting a big intrusion into the U.S. government maybe because some Russian intelligence official has asked for that sort of access and offered to pay for it.
The ultimate thing we should get out of that is that this data that is being stolen is being stored on these servers in these other countries, but ultimately we don't know what the end consumer of that data is going to be, be it cybercriminals that are going to try to steal money or a nation state that wants intelligence.
CHABROW: The kind of people who are hacking, these are people who have some kind of ill intent; these aren't just people who are just wanting to get into who they can get in?
COX: Absolutely. There are people who are dedicated to making money doing this. There is a lot of evidence toward a cybercriminal underground where they buy and sell various services via botnet access or exploits or identities or credit card numbers and they absolutely use those credit card numbers and those stolen credentials to make money.
CHABROW: Of the attacks, of the 2,400, 2,500 that you mentioned, do you know how many of those are government?
COX: I don't have an actual count. It was I want to say around 20 government organizations that we saw.
CHABROW: Federal, local, state?
COX: All of the above.
CHABROW: Not a large number but something that people should be concerned about.
COX: The way I look at it is a single compromised PC inside a network is potentially a foothold and if you look at historically the way some of these compromises have occurred in the past, that is typically the way they start. You get a single foothold inside a network and then pivot off of that foothold into other places in the network.
That is how the Aurora worked as well, they got one machine and then got all the machines they needed. Saying my organization only has one compromised host to make yourself feel better really isn't realistic because that is the root of the compromise really.