February 19, 2010

As a journalist who for almost ten years has sought to explain complex computer security topics to a broad audience,  it’s sometimes difficult to be picky when major news publications over-hype an important security story or screw up tiny details: For one thing, Internet security so seldom receives more than surface treatment in the media that the increased attention to the issue often seems to excuse the breathlessness with which news organizations cover what may seem like breaking, exclusive stories.

The trouble with that line of thinking is that an over-hyped story tends to lack important context that helps frame the piece in ways that make it more relevant, timely, and actionable, as opposed to just sensational.

I say this because several major media outlets, including The Washington Post and the Wall Street Journal, on Thursday ran somewhat uncritical stories about a discovery by NetWitness, a security firm in Northern Virginia that has spent some time detailing the breadth of infections by a single botnet made up of PCs infected with ZeuS, a password stealing Trojan that lets criminals control the systems from afar. NetWitness found that this particular variant of the botnet, which it dubbed “Kneber,” had invaded more than 2,500 corporations and 75,000 computers worldwide.

The Post’s headline: More than 75,000 Computer Systems Hacked in one of the Largest Cyber Attacks, Security Firm Says.

From the WSJ: Broad New Hacking Attack Detected: Global Offensive Snagged Corporate, Personal Data at Nearly 2,500 Companies: Operation is Still Running.

Yahoo!’s coverage tells us, Scary Global Hacking Offensive Finally Outed.

After a day of dodging countless PR people pitching their experts to pile on to the story, I finally resolved to add my two cents when I heard this gem from the PBS Newshour with Jim Lehrer: “A major new case of computer hacking has been uncovered. A virus known as botnet invaded the computers and used them to steal data from commercial and government systems. Among other things, the hackers have gained access to e-mail systems and online banking.”

Not to take anything away from NetWitness, whose network forensics software I have used and admire. Also, the company has a fine stable of security researchers, and is headed up by no less than Amit Yoran, a clueful geek who was formerly the top cyber official at the Department of Homeland Security.

And NetWitness timed its research masterfully, releasing its findings as it did so soon after news that Google and many other large financial, energy, defense, technology and media firms had been compromised by a stealthy computer attack.

The Post’s Ellen Nakashima tells us, “..it is significant…in its scale and in its apparent demonstration that the criminal groups’ sophistication in cyberattacks is approaching that of nation states such as China and Russia.”

Sadly, this botnet documented by NetWitness is neither unusual nor new. For the past several years at any given time, the number of distinct ZeuS botnets has hovered in the hundreds. At the moment, there are nearly 700 command-and-control centers online for ZeuS botnets all over the world, according to ZeuStracker, a Web site that keeps tabs on the global threat from ZeuS.

True, not every distinct ZeuS botnet has 75,000 infected machines in its thrall, but that’s actually not all that rare, and some have far more systems under their control. Last summer, I wrote about a ZeuS botnet of roughly 100,000 infected systems whose overlords (or enemies) exercised the “kill operating system” feature built into the botnet code, instructing all of the infected computers to render themselves unbootable and for all purposes unusable by either the bad guys or the rightful owners of the machines.

Take a peek inside any monster piles of purloined data these botnets turn in each day and chances are you will find similar victims as detailed in the Kneber write-up: Infected computers at dozens of government, military and educational institutions, as well as many of the world’s top corporations.

Back in 2007, I wrote a story for The Washington Post’s Security Fix blog called Tracking the Password Thieves, in which I pored over the data stolen by a single botnet that had infected some 3,221 U.S. victims. In just that comparatively tiny sample, I found infected machines at U.S. government systems (Department of Energy), financial institutions (Bank of America), and plenty of Fortune 50 companies, including IBM, Amgen and Merck (the latter was found again in the ZeuS botnet dissected by NetWitness).

Incidentally, the name of the password-stealing malware that I tracked in that story three years ago? “WSNPoem,” a pseudonym for the ZeuS Trojan.

The first sign that a story might be over-hyped is usually when it gets downplayed by some of the world’s largest security companies, such as McAfee and Symantec. These are companies that critics often accuse of  encouraging hysteria over computer security threats so as to drive up sales of their products and services.

But both companies today sought to talk people down off the ledges and assure customers that the threat was – while serious – nothing new.

“In the world of cybersecurity the ‘kneber’ botnet is, unfortunately, just another botnet. With 75,000 infected machines, Kneber is not even that big, there are much larger botnets,” McAfee said in a written statement. “Kneber is based on the ‘Zeus’ Trojan, malware known to security companies. In our recently released Q4 2009 Threats Report we found that in the last three months of 2009 just under four million newly infected machines joined botnets.”

Symantec also downplayed the threat:

“Kneber, in reality, is not a new threat at all, but is simply a pseudonym for the infamous and well-known Zeus Trojan. The name Kneber simply refers to a particular group, or herd, of zombie computers, a.k.a. bots, being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot, which also goes by the name Zeus, which has been being observed, analyzed and protected against for some time now.”

Perhaps I am a little closer to this particular botnet than most: After all, I have written dozens of stories over the last nine months about the exploits of organized criminals using ZeuS to steal tens of millions of dollars from small- to mid-sized businesses, governments and non-profit organizations.

This is just some of the context that would have been nice to see in any of the mainstream press treatment of this research. From where I sit, security stories that lack appropriate context tend to ring hollow, and squander important opportunities to raise awareness on the size, scope and real-world impact of these threats.

39 thoughts on “ZeuS: ‘A Virus Known as Botnet’

  1. J.C. Reid

    Brian – Thanks for this. When I read about this in WaPo and saw it on PBS, I was scratching my head and thinking, “So, what’s new?” The one constant was NetWitness, so I figured they must have a new product coming out and wanted to drum up business. I concluded the press release headline was just too juicy for the media outlets to pass up. Sad but true.

  2. Rick

    Too funny. But Lehrer got it wrong. The virus is called *trojan*. Still, the Fortiguard white paper is excellent. Bill Gates’ dream was to put a computer in every home and on every desktop. He succeeded – and they’re all infected.



  4. Wladimir Palant

    Thank you, Brian. I saw an article in the InformationWeek and was also wondering what is so special about this botnet. Is it somehow targeting specifically corporations? Is it particularly hard to detect? Anything else? The article didn’t make it clear and now that I read your post it seems that there is nothing special about it indeed.

  5. TheGeezer

    Exactly Brian. Not only is it common, the same registrar has registered domains for this botnet to install the zeus trojan for 7 days straight, using the IRS, the Macromedia Flash Player and the Valentine Card exploits among others.

    It is simply business as usual for the botnet and the registrar.
    And of course the registrar’s emergency response team works only during normal working hours, 9-5, weekdays.

    1. TheGeezer

      Update: make that 9 days straight of domains registered with the same registrar and used by the zeus botnet for IRS, Facebook, Visa and other frauds which install bots and steal identities.
      Also, the emergency? response team only takes down fraudulent domains 9-10 AM weekdays.

      Imagine in the brick and mortar world if it was reported to the water company on a friday that they had contaminated water and they said they would take care of it monday morning!
      Yet this seems to be perfectly acceptable in the digital world.

      One day, probably the next computer generation, one will wonder how we could have been so stupid. But that day is obviously a long way off.

      In the mean time we can rubber-neck the accidents along the digital highway and talk about all the things the victims should have done to avoid it.

      1. Michael Horowitz

        For personal computers, you are absolutely right. This is Bedrock and we are the Flintstones. There are reliable computers, mainframes being one example. But personal computers (Windows, Linux and Macs) are as crude as the tools Fred and Barney used.

  6. Dave Wilson

    This is why somebody with your expertise should be making six figures working for the NYT, WSJ, Washington Post…

    1. WhoIsJohnGalt

      Instead of giving NYT, WSJ, WP, the $.50…maybe Brian can set up a volunteer micropayment button. In time, Brian will be rewarded with Gold he deserves.

      Click HERE is you enjoyed this story

      You’re a “producer” Brian, don’t sweat the small stuff. We understand your value and sincerely appreciate your product daily.

      Click HERE is you enjoyed this story

      /John Galt

  7. JackRussell

    I suppose the only thing that is new is that the general public is hearing about this for the first time. And true to form, the MSM sometimes gets the story wrong.

  8. lembark

    Our problem is that the “public” is hearing somewhat mis-informative sound bites, without any real context or information on how to avoid infection.

    Looking at the recent coverage, I cannot find anything that wasn’t here or in the Post years ago. One possible solution: Maybe Brian should be required reading for anyone with a computer. At least then more people would understand the risks and why they want to care about security.

    Interesting thing about technology, though: the guys we don’t like usually invent the most useful things. The porn industry gave us web graphics and HTTP uploads; botnets provide a clear vision of what cloud computing can accomplish and some good direction on how to apply it.

    Q: Is there a fix for these systems (aside from *NIX)?

  9. Buss

    Let me begin by saying that I am more than just a little naive about these issues. However, the question “So what’s new about this whole ZeuS / botnet story?” may well be quite simple; Google’s recent, highly publicized, dust up with China. Who’s purpose is served by raising this (old) issue NOW?

    1. Karen

      What hole are you crawling out of? The number of fraudulent ACH and wire transfers from small commercial accounts is growing at an alarming trend, and the scary part is hardly anyone knows about it. It is crisis time, my friend.

  10. Ben K

    Took the words right from my mouth, Brian. Netwitness purged my comment in their post about “Move over China, here comes Russia.” Russia has been at the forefront of these botnets the whole time — not china.

    1. ncc uss

      Russia is the biggest when it comes to botnets and other for-profit malware. China is biggest when it comes to cyber espionage.

  11. Rob

    Given the size of the problem and the fact that most people don’t even know there is a problem, isn’t a more mainstream story good news? In this case I think the fact that people are hearing about wide spread viruses organized by some person or group is good.

    Most computer users still don’t understand the threat malware pose. If these people end their day thinking viruses are becoming a bigger and more serious problem or more threatening they might start to do some independent reading. Then they find Krebs on Security and other more informative sites.

    1. BrianKrebs Post author


      I hope my hand-wringing over your very question was clear from my post. I think it’s great when large media organizations sound the alarm on this stuff, and the alarm definitely needs sounding.

      I just felt like the stories all lacked any kind of context whatsoever, and were uncritically reported. Where is the perspective from outside experts who can add perspective on what is already known about this threat?

      I thought the Netwitness report was interesting and well done. As I said, I wasn’t trying to say their report wasn’t important: It says a great deal that so many powerful and rich corporations can’t seem to keep these opportunistic threats out.

      One angle that hasn’t — to my knowledge — be explored much in any of the stories so far is: So the E. European criminal gangs stealing all this data are masters at wringing out every ounce of profit from the financial credentials. But to whom are they selling the stuff they can’t use? I’m talking about the credentials for corporate e-mail accounts, vpns, government email accounts, vpns, etc, etc. And I guarantee you they are selling it, because it has value to someone.

      1. CyberNorris


        You know the process of what happened. A good press release was presented to the right assignment editors at the right moment to be of interest. These couple of editors assigned a “reporter who knows something about computers” but who didn’t have the knowledge or time to be able to understand the context themselves, let alone pass along anything more than the standard, hyped regurgitation of the press release with a couple of “expert” quotes thrown in to provide substance. Then the hundreds of feeder news organizations had to jump on and, rather than actually do journalism, rewrote the original article(s) in a way that was “fresh” and “advanced the story” with their own perspective and lack of knowledge/context… maybe with a quick peek at Wikipedia or a Google search. Thus we end up with a highly respected news reader (I love the UK for that blatently honest label) looking foolish (to some) by proclaiming “a virus named botnet.”

        A few decades ago I found a cartoon that had a reporter in front of a wall covered with note cards. On each card was written a plethora of unrelated topics like geology, bankruptcy, water quality, astrophysics, pediatric surgery, home construction, penguin migration, etc. At the top of the wall was a sign: “Today I am an expert in….” The reporter was blindfolded and holding a dart.

        I once watched a reporter just for fun do a staged 2 minute staged “live shot” explaining why there were a dozen soda machines in front of a small town supermarket. Actual knowledge of a subject is not necessary to fill time and/or space.

        You were blessed to be allowed to cover in depth a relatively narrow field that allowed you to apply your own curiosity and become something of an expert in your chosen subject. Thank you for your work and I wish you the best moving forward!

        “Too many journalists are egotistical infomaniacs who want to make sure that you know how much they know about any and every subject… and what you should think about it.” (statement Copyright 1996 by me)

        CyberNorris (a former television news photojournalist and producer turned IT pro and information security auditor…now a CISSP and CISA)

        1. Bill Wildprett

          Excellent article Brian and also a fine comment from CyberNorris and their media perspective.

          Congratulations CyberNorris on becoming a CISSP and CISA! I’m a CISSP and will be taking the CISA exam on 6/12/2010.

          Brian, have you considered earning a CISSP?

          1. CyberNorris


            Good luck on the CISA exam. After the CISSP, that one didn’t feel all that difficult.

            I’m not sure ISC2 would approve Brian’s journalism work as required experience for the CISSP. Remember the credentialing process is more than just passing a test. That said, I’m certain ISC2 and ISACA would both be happy to accept Brian as a member.

            Norris Carden

            1. Darcel Orengo

              Hello! I just wanted to ask if you ever have any problems with hackers? My last blog (wordpress) was hacked and I ended up losing several weeks of hard work due to no data backup. Do you have any methods to prevent hackers?

  12. LonerVamp

    If you ask me, this is why you should always pimp and support those few truly knowledgable journalists in the tech world. 🙂 You can’t stop news outlets from trying to be sensational to get eyes, nor can I get too mad about broadening the exposure to the “mainstream” world to these issues. But you can help promote those few journalists (like yourself!) who have their head on straight, technically.

  13. James R. ("Jim") Woodhill

    There is a saying in Washington, D.C.:

    – One report is an “anecdote”

    – Two reports is a “trend”

    – Three reports is a TIME Magazine cover

    – Four reports is “legislation”

    OK, there has been a lot of “information inflation” since this aphorism was created, so today it’s off by three or four orders of magnitude. However, on the issue of cybercrime, I think America is well past the magazine cover. The question that is now before the house is what proposal should be put before the House (and the Senate)? I think the political branches are ready to “Do Something”, but do exactly *what*?

    My late, great friend Milton Friedman famously wrote, “Only a crisis–actual or perceived–produces real change. When that crisis occurs, the actions that are taken depend on the ideas that are lying around. That, I believe, is our basic function: to develop alternatives to existing policies, to keep them alive and available until the politically impossible becomes politically inevitable.”

    Congress is not staffed to “propose” only “dispose”. Thus, one is as likely to get a folly like “Sarbanes-Oxley” as a wise policy like a “Nunn-Lugar”. (More likely, actually, because of how commonly the Conventional Wisdom is wrong.)

  14. Joseph Menn

    Couldn’t agree more, Brian.
    As the Watergate saying goes, if you aim too high and miss, everyone feels safe.
    The truth is terrible as well as important, and it’s hard enough getting it across without people being conditioned to ignore bad news from such hype as this.

    1. Bob Bowie

      This is directed to the bobble heads here saying ‘yeah this story was overdone – it wasn’t a big deal’….

      Hype? What hype are you folks referring to? This variant was around for 18 months – do you know when McAfee covered this ‘old, nothing new here’ attack??? January 28th. Symantec has a similar timeline. Look it up for your self.

      Neither one of these vendors stand a chance against any new ZeuS 1.3 variants. arriving on the scene.

      What hype? This stuff is real, and honestly, its ‘poo-pooing’ pundits who THINK they understand the security landscape that give people a false sense of security.

      What this story should really be about is ‘wow- this really illustrates how current conventional security practices just aren’t enough to catch a variant of ZeuS based off of an old 1.2 version of ZeuS”

      Seriously, do you think the companies named didn’t have robust security in place? Merck? Paramount? etc etc??

      Only by capturing all the data and looking at what is truly coming across the network will save you. Netwitness and maybe a few others give you a snowballs chance in hell of finding this stuff- nothing else will.

  15. Remote Exploit

    What’s sorely missing from the “journalism” that hypes this stuff is the fact that computer users are the enablers of 99% of the compromises. I’m not hearing any finger-wagging directed at the real cause of the problem, just tales of the insidious nature of the criminals.

  16. JS

    I still ask the audience here if these malwares & bots are getting into corporation, military and government through the front door -as when the employee walks in from home.

    The generous policies on laptop and PC use in the 1990s and 2000s brought about a huge IT headache and shift in defense posture of data security from passive defense to reactive.

    From Execs to the Grunts, no one thinks about not trusting the data security of a computing or storage device they just brought into the building.

    The analog is:
    Your personage is highly scrutinized and shake down at the airport, and boarder your asked all sorts of questions about where you’ve been and what your carrying. In fact you or your vehicle may be searched to look for pests you know you have unintentionally carried in.

    Yet plug in your laptop, USB stick, or enter the correct WPA info you get on the .Edu, .Gov or .Com internal network — period. No questions asked of your laptop of where it was last night and whom it may have been “talking” with, or where it’s travelled. No searching is even asked, no monitoring to see if still resembles the config it was sent out with (akin to matching sayig you are who you are.)

    Bots need channels and pipes to work. Net Managers & DataSec guys stomped all over eMule, bittorents and P2P because they were “noisy.” Its a sign the cons are ahead of the game in that nobody is seeing the meters spin on their pipes bandwidth usage — finding these slow info leaks is near impossible in an enterprise.

    Unless Gov, small business and Enterprise suddenly begin to realize that despite the fact they lock the front door physically they are not good at locking down the network access outbound. Until this is realized, these outbreaks will continue to be a persistent part of the ecosystem.

    Data security — Its really a mindset that has to be taught before the disasters happen.

    I wonder if there is any chamber of commerce programs out there to aid small businesses to realize their risk and in plain simple talk discuss how to secure their small business.

  17. Frank


    Very nice article. I agree that there some people seem to be fanning the flames without really understanding what they are talking about.

  18. User Headspace

    We need to treate the disease not the syptoms.

    Laws, regulations, requirements for C&A and certified cybersecurity specalist will not stop cyber attacks, neither will educating the masses. In fact they may make it easier for the bag guy to be successful, while were ll out getting our training, their still hacking away.

    What will make a difference is writing better code with fewer vulnerabilities that can be exploited. The bad guys have all the time in the world to research, develop, test and exploit vulnerabilities created by poor coding. The good guys have a precious few minutes to identify and respond to new threats.

    As long as we continue to accept poor code, we can expect to continue to see exploits taking advantage of the vulnerabilities it creates.

    Only by getting off the tredmill and addressing the basics will we have a chance at reducing our exposure.

  19. Dan

    The drive-bys are all JavaScript-based. Wouldn’t it be simpler to just run NoScript in Firefox and be done with it? (And then hope someone makes one for IE.)

  20. Tom Cross

    Dan finally hit the nail on the head. Block javascript (NoScript) in Firefox (no ActiveX/BHO); run CCleaner often to clean up the internet residue; small AV as a trunk monkey in case some glitch appears; Foxit Reader and regular, manual updates (MS, Firefox, NoScript, AV).

    I own a compute repair store. EVERY computer I work on has an AV (Norton/McAfee/TrendMicro/AVG/Kaspersky) and they’re all infected in some manner. IE usage is the usual culprit, but I also see a lot of useless download tools (DriverDetective, RegCleaners, etc.).

    Brians article is spot-on. The press either doesn’t get it or are complicit in the silence. My theory is simple – javascript drives advertising. Why would any internet-centric business/portal/media outlet want you to use a tool that blocks their revenue machine?

    And what about rootkits? 80-90% of our repairs are rooted, a few are in the MBR (we zero-fill all HD before reinstalling). I see 10-15 different kits regularly and there are some that are really good requiring some serious digging to find out what they’ve done.

    Thanks for the great site….
    The public needs to know more about rootkits – they disable AV programs!

  21. MC

    I wonder if anyone has red the white paper write up from Netwitness about this? In it, they indicated that a one month data dump yielded these 74,126 infected machines. I’ve read many reports that they are just “rehashing the zeus botnet” but once again, in the report, they are indicating that there is a new executable involved. That is where the Kneber comes into play, and a yahoo address that was involved. Anyways, I think what they are basically saying is that while it’s an old botnet, it has a new twist and has been infecting untold systems so far. The DoD has a report of nearly 50 million systems being infected with an unknown botnet. And so far no commercial security companies have found it. Could this be it? Right now, that seems farfetched, but I think you’ll find that this will end up being an accurate statement.

  22. Bobby Green

    When I read that botnet press release that got turned into a page one story I knew something was wrong. The Post now has no one capable of writing a decent, technically correct article. How could they get it so wrong? The newspaper of the nation’s capital is not the place to be weak on tech coverage. Did they think to consider there’s a cost involved? It takes only a few poorly written and researched stories to obliterate the credibility that takes years of reliable reporting to build. The Post is well on the road to its own irrelevance.

    1. CyberNorris


      The Post has lost credibility on many fronts. This is not their first poorly written and researched piece on page 1. To most journalists, I suspect information security might as well be rocket science.

  23. ypwnme

    Why do a piece on cyber security when you cannot do a basic research? Not even Obama’s interest in Cyber Security could spur them on!

    1. CyberNorris

      Because an editor thought that with the press release someone had already done the research for them.

      It’s got a hook and will sell papers. It’s also kinda a feel-good, special interest piece. Just about everyone could shake their head and think “isn’t that horrible” as well as “I’m glad that will never happen to me.”

  24. Bobby Green

    I read today that the Post has finally turned a profit, although it’s clearly come at a cost: “Continued cost-cutting boosted the newspaper back into the black.”

    With that reduction in cost comes an equivalent reduction in quality. This “Botnet is Big News” article was one of many that made me scratch my head and wonder: “Do they even understand how much they got wrong?”

    Now that BK has left WAPO, It’s time for a rewrite of that old salesmen joke:

    What’s the difference between a Post automobile writer and a Post computer technology writer? The automobile writer *knows* when he’s lying to you.

    Bobby G.

Comments are closed.