68,000 stolen logons in hands of ‘amateur’ hackers
The gang most likely began by hiring spam specialists to send out e-mail and social-networking posts to lure recipients into clicking on a tainted Web link, says Don Jackson, senior researcher at SecureWorks.
They then used a dated free version of a hacking tool called ZeuS and did nothing to hide their tracks, indicating that “they’re probably amateurs,” Jackson says.
That disclosure underscores how deeply cybercriminals — from novices to elite gangs — have now saturated the Internet with infections that allow them to take full control of Windows PCs. Cybergangs slot newly infected PCs, called bots, into networks called botnets. On any given day, 12% to 15% of the 1.6 billion computers connected to the Internet are bots, according to security firm Damballa.
Botnets are the engines that drive cybercrime, ranging from petty scams to espionage. “We’ve become desensitized to botnet infestation,” says Tim Belcher, NetWitness chief technology officer.
In late January, NetWitness began tracking data exchanges between a bot in one of its client’s networks and a remote server. Investigators accessed the server and found some 68,000 user name and password pairs for an array of online accounts. The data were stolen from 75,000 botted PCs in 2,411 organizations from 196 countries.
These included government agencies and schools, as well as drug, health, energy, tech, financial and media companies.
Gunter Ollmann, Damballa’s vice president of research, has tracked this particular gang since late 2008. He says the hackers, now being referred to as the Kneber gang, are responsible for infecting at least 97,100 PCs in corporate networks in North America, in what’s considered a “small” botnet. There are some 2,000 botnet gangs that together control 5% to 7% of PCs in corporate settings in North America. “Large enterprises have multiple layers of security defenses,” Ollmann says. “Yet the criminal botnet operators are uniformly successful in breaching these well-defended networks.”