Feb 10

ZeuS: ‘A Virus Known as Botnet’

As a journalist who for almost ten years has sought to explain complex computer security topics to a broad audience,  it’s sometimes difficult to be picky when major news publications over-hype an important security story or screw up tiny details: For one thing, Internet security so seldom receives more than surface treatment in the media that the increased attention to the issue often seems to excuse the breathlessness with which news organizations cover what may seem like breaking, exclusive stories.

The trouble with that line of thinking is that an over-hyped story tends to lack important context that helps frame the piece in ways that make it more relevant, timely, and actionable, as opposed to just sensational.

I say this because several major media outlets, including The Washington Post and the Wall Street Journal, on Thursday ran somewhat uncritical stories about a discovery by NetWitness, a security firm in Northern Virginia that has spent some time detailing the breadth of infections by a single botnet made up of PCs infected with ZeuS, a password stealing Trojan that lets criminals control the systems from afar. NetWitness found that this particular variant of the botnet, which it dubbed “Kneber,” had invaded more than 2,500 corporations and 75,000 computers worldwide.

The Post’s headline: More than 75,000 Computer Systems Hacked in one of the Largest Cyber Attacks, Security Firm Says.

From the WSJ: Broad New Hacking Attack Detected: Global Offensive Snagged Corporate, Personal Data at Nearly 2,500 Companies: Operation is Still Running.

Yahoo!’s coverage tells us, Scary Global Hacking Offensive Finally Outed.

After a day of dodging countless PR people pitching their experts to pile on to the story, I finally resolved to add my two cents when I heard this gem from the PBS Newshour with Jim Lehrer: “A major new case of computer hacking has been uncovered. A virus known as botnet invaded the computers and used them to steal data from commercial and government systems. Among other things, the hackers have gained access to e-mail systems and online banking.”

Not to take anything away from NetWitness, whose network forensics software I have used and admire. Also, the company has a fine stable of security researchers, and is headed up by no less than Amit Yoran, a clueful geek who was formerly the top cyber official at the Department of Homeland Security.

And NetWitness timed its research masterfully, releasing its findings as it did so soon after news that Google and many other large financial, energy, defense, technology and media firms had been compromised by a stealthy computer attack.

The Post’s Ellen Nakashima tells us, “..it is significant…in its scale and in its apparent demonstration that the criminal groups’ sophistication in cyberattacks is approaching that of nation states such as China and Russia.”

Sadly, this botnet documented by NetWitness is neither unusual nor new. For the past several years at any given time, the number of distinct ZeuS botnets has hovered in the hundreds. At the moment, there are nearly 700 command-and-control centers online for ZeuS botnets all over the world, according to ZeuStracker, a Web site that keeps tabs on the global threat from ZeuS.

True, not every distinct ZeuS botnet has 75,000 infected machines in its thrall, but that’s actually not all that rare, and some have far more systems under their control. Last summer, I wrote about a ZeuS botnet of roughly 100,000 infected systems whose overlords (or enemies) exercised the “kill operating system” feature built into the botnet code, instructing all of the infected computers to render themselves unbootable and for all purposes unusable by either the bad guys or the rightful owners of the machines.

Take a peek inside any monster piles of purloined data these botnets turn in each day and chances are you will find similar victims as detailed in the Kneber write-up: Infected computers at dozens of government, military and educational institutions, as well as many of the world’s top corporations.

Back in 2007, I wrote a story for The Washington Post’s Security Fix blog called Tracking the Password Thieves, in which I pored over the data stolen by a single botnet that had infected some 3,221 U.S. victims. In just that comparatively tiny sample, I found infected machines at U.S. government systems (Department of Energy), financial institutions (Bank of America), and plenty of Fortune 50 companies, including IBM, Amgen and Merck (the latter was found again in the ZeuS botnet dissected by NetWitness).

Incidentally, the name of the password-stealing malware that I tracked in that story three years ago? “WSNPoem,” a pseudonym for the ZeuS Trojan.

The first sign that a story might be over-hyped is usually when it gets downplayed by some of the world’s largest security companies, such as McAfee and Symantec. These are companies that critics often accuse of  encouraging hysteria over computer security threats so as to drive up sales of their products and services.

But both companies today sought to talk people down off the ledges and assure customers that the threat was – while serious – nothing new.

“In the world of cybersecurity the ‘kneber’ botnet is, unfortunately, just another botnet. With 75,000 infected machines, Kneber is not even that big, there are much larger botnets,” McAfee said in a written statement. “Kneber is based on the ‘Zeus’ Trojan, malware known to security companies. In our recently released Q4 2009 Threats Report we found that in the last three months of 2009 just under four million newly infected machines joined botnets.”

Symantec also downplayed the threat:

“Kneber, in reality, is not a new threat at all, but is simply a pseudonym for the infamous and well-known Zeus Trojan. The name Kneber simply refers to a particular group, or herd, of zombie computers, a.k.a. bots, being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot, which also goes by the name Zeus, which has been being observed, analyzed and protected against for some time now.”

Perhaps I am a little closer to this particular botnet than most: After all, I have written dozens of stories over the last nine months about the exploits of organized criminals using ZeuS to steal tens of millions of dollars from small- to mid-sized businesses, governments and non-profit organizations.

This is just some of the context that would have been nice to see in any of the mainstream press treatment of this research. From where I sit, security stories that lack appropriate context tend to ring hollow, and squander important opportunities to raise awareness on the size, scope and real-world impact of these threats.

Tags: , , ,


  1. Dan finally hit the nail on the head. Block javascript (NoScript) in Firefox (no ActiveX/BHO); run CCleaner often to clean up the internet residue; small AV as a trunk monkey in case some glitch appears; Foxit Reader and regular, manual updates (MS, Firefox, NoScript, AV).

    I own a compute repair store. EVERY computer I work on has an AV (Norton/McAfee/TrendMicro/AVG/Kaspersky) and they’re all infected in some manner. IE usage is the usual culprit, but I also see a lot of useless download tools (DriverDetective, RegCleaners, etc.).

    Brians article is spot-on. The press either doesn’t get it or are complicit in the silence. My theory is simple – javascript drives advertising. Why would any internet-centric business/portal/media outlet want you to use a tool that blocks their revenue machine?

    And what about rootkits? 80-90% of our repairs are rooted, a few are in the MBR (we zero-fill all HD before reinstalling). I see 10-15 different kits regularly and there are some that are really good requiring some serious digging to find out what they’ve done.

    Thanks for the great site….
    The public needs to know more about rootkits – they disable AV programs!

  2. I wonder if anyone has red the white paper write up from Netwitness about this? In it, they indicated that a one month data dump yielded these 74,126 infected machines. I’ve read many reports that they are just “rehashing the zeus botnet” but once again, in the report, they are indicating that there is a new executable involved. That is where the Kneber comes into play, and a yahoo address that was involved. Anyways, I think what they are basically saying is that while it’s an old botnet, it has a new twist and has been infecting untold systems so far. The DoD has a report of nearly 50 million systems being infected with an unknown botnet. And so far no commercial security companies have found it. Could this be it? Right now, that seems farfetched, but I think you’ll find that this will end up being an accurate statement.

  3. When I read that botnet press release that got turned into a page one story I knew something was wrong. The Post now has no one capable of writing a decent, technically correct article. How could they get it so wrong? The newspaper of the nation’s capital is not the place to be weak on tech coverage. Did they think to consider there’s a cost involved? It takes only a few poorly written and researched stories to obliterate the credibility that takes years of reliable reporting to build. The Post is well on the road to its own irrelevance.

    • Bobby,

      The Post has lost credibility on many fronts. This is not their first poorly written and researched piece on page 1. To most journalists, I suspect information security might as well be rocket science.

  4. Why do a piece on cyber security when you cannot do a basic research? Not even Obama’s interest in Cyber Security could spur them on!

    • Because an editor thought that with the press release someone had already done the research for them.

      It’s got a hook and will sell papers. It’s also kinda a feel-good, special interest piece. Just about everyone could shake their head and think “isn’t that horrible” as well as “I’m glad that will never happen to me.”

  5. I read today that the Post has finally turned a profit, although it’s clearly come at a cost: “Continued cost-cutting boosted the newspaper back into the black.”

    With that reduction in cost comes an equivalent reduction in quality. This “Botnet is Big News” article was one of many that made me scratch my head and wonder: “Do they even understand how much they got wrong?”

    Now that BK has left WAPO, It’s time for a rewrite of that old salesmen joke:

    What’s the difference between a Post automobile writer and a Post computer technology writer? The automobile writer *knows* when he’s lying to you.

    Bobby G.