As a journalist who for almost ten years has sought to explain complex computer security topics to a broad audience, it’s sometimes difficult to be picky when major news publications over-hype an important security story or screw up tiny details: For one thing, Internet security so seldom receives more than surface treatment in the media that the increased attention to the issue often seems to excuse the breathlessness with which news organizations cover what may seem like breaking, exclusive stories.
The trouble with that line of thinking is that an over-hyped story tends to lack important context that helps frame the piece in ways that make it more relevant, timely, and actionable, as opposed to just sensational.
I say this because several major media outlets, including The Washington Post and the Wall Street Journal, on Thursday ran somewhat uncritical stories about a discovery by NetWitness, a security firm in Northern Virginia that has spent some time detailing the breadth of infections by a single botnet made up of PCs infected with ZeuS, a password stealing Trojan that lets criminals control the systems from afar. NetWitness found that this particular variant of the botnet, which it dubbed “Kneber,” had invaded more than 2,500 corporations and 75,000 computers worldwide.
The Post’s headline: More than 75,000 Computer Systems Hacked in one of the Largest Cyber Attacks, Security Firm Says.
From the WSJ: Broad New Hacking Attack Detected: Global Offensive Snagged Corporate, Personal Data at Nearly 2,500 Companies: Operation is Still Running.
Yahoo!’s coverage tells us, Scary Global Hacking Offensive Finally Outed.
After a day of dodging countless PR people pitching their experts to pile on to the story, I finally resolved to add my two cents when I heard this gem from the PBS Newshour with Jim Lehrer: “A major new case of computer hacking has been uncovered. A virus known as botnet invaded the computers and used them to steal data from commercial and government systems. Among other things, the hackers have gained access to e-mail systems and online banking.”
Not to take anything away from NetWitness, whose network forensics software I have used and admire. Also, the company has a fine stable of security researchers, and is headed up by no less than Amit Yoran, a clueful geek who was formerly the top cyber official at the Department of Homeland Security.
And NetWitness timed its research masterfully, releasing its findings as it did so soon after news that Google and many other large financial, energy, defense, technology and media firms had been compromised by a stealthy computer attack.
The Post’s Ellen Nakashima tells us, “..it is significant…in its scale and in its apparent demonstration that the criminal groups’ sophistication in cyberattacks is approaching that of nation states such as China and Russia.”
Sadly, this botnet documented by NetWitness is neither unusual nor new. For the past several years at any given time, the number of distinct ZeuS botnets has hovered in the hundreds. At the moment, there are nearly 700 command-and-control centers online for ZeuS botnets all over the world, according to ZeuStracker, a Web site that keeps tabs on the global threat from ZeuS.
True, not every distinct ZeuS botnet has 75,000 infected machines in its thrall, but that’s actually not all that rare, and some have far more systems under their control. Last summer, I wrote about a ZeuS botnet of roughly 100,000 infected systems whose overlords (or enemies) exercised the “kill operating system” feature built into the botnet code, instructing all of the infected computers to render themselves unbootable and for all purposes unusable by either the bad guys or the rightful owners of the machines.
Take a peek inside any monster piles of purloined data these botnets turn in each day and chances are you will find similar victims as detailed in the Kneber write-up: Infected computers at dozens of government, military and educational institutions, as well as many of the world’s top corporations.
Back in 2007, I wrote a story for The Washington Post’s Security Fix blog called Tracking the Password Thieves, in which I pored over the data stolen by a single botnet that had infected some 3,221 U.S. victims. In just that comparatively tiny sample, I found infected machines at U.S. government systems (Department of Energy), financial institutions (Bank of America), and plenty of Fortune 50 companies, including IBM, Amgen and Merck (the latter was found again in the ZeuS botnet dissected by NetWitness).
Incidentally, the name of the password-stealing malware that I tracked in that story three years ago? “WSNPoem,” a pseudonym for the ZeuS Trojan.
The first sign that a story might be over-hyped is usually when it gets downplayed by some of the world’s largest security companies, such as McAfee and Symantec. These are companies that critics often accuse of encouraging hysteria over computer security threats so as to drive up sales of their products and services.
But both companies today sought to talk people down off the ledges and assure customers that the threat was – while serious – nothing new.
“In the world of cybersecurity the ‘kneber’ botnet is, unfortunately, just another botnet. With 75,000 infected machines, Kneber is not even that big, there are much larger botnets,” McAfee said in a written statement. “Kneber is based on the ‘Zeus’ Trojan, malware known to security companies. In our recently released Q4 2009 Threats Report we found that in the last three months of 2009 just under four million newly infected machines joined botnets.”
Symantec also downplayed the threat:
“Kneber, in reality, is not a new threat at all, but is simply a pseudonym for the infamous and well-known Zeus Trojan. The name Kneber simply refers to a particular group, or herd, of zombie computers, a.k.a. bots, being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot, which also goes by the name Zeus, which has been being observed, analyzed and protected against for some time now.”
Perhaps I am a little closer to this particular botnet than most: After all, I have written dozens of stories over the last nine months about the exploits of organized criminals using ZeuS to steal tens of millions of dollars from small- to mid-sized businesses, governments and non-profit organizations.
This is just some of the context that would have been nice to see in any of the mainstream press treatment of this research. From where I sit, security stories that lack appropriate context tend to ring hollow, and squander important opportunities to raise awareness on the size, scope and real-world impact of these threats.