Corporations, agencies infiltrated by 'botnet'

Feb 18, 2010 By JORDAN ROBERTSON , AP Technology Writer

(AP) -- Security experts have found a network of 74,000 virus-infected computers that stole information from inside corporations and government agencies. The unusual thing about the incident is not that it happened but that it was discovered, and it is a reminder of the dangers of having computers with sensitive data connected to the open Internet.

More than 2,400 organizations, including financial institutions and energy companies and federal agencies, were infiltrated by the "botnet," according to the NetWitness Corp. security firm, which discovered it.

NetWitness didn't name the companies or agencies whose computers were compromised. The said the affected companies included Merck & Co., Cardinal Health Inc., Paramount Pictures and Juniper Networks Inc. Merck and Cardinal Health said in statements Thursday that one computer in each company was among those in the botnet but no sensitive information was taken. The other two companies didn't return messages from The Associated Press seeking comment Thursday.

The victims don't appear to have been specifically targeted, unlike the recent computer attacks on Google Inc. that prompted the Internet search leader to threaten to pull its business out of China. That's an important distinction, because it shows how online secrets can fall into the wrong hands even when criminals aren't necessarily looking for them.

"This kind of stuff is out there and it's pervasive," said Amit Yoran, CEO of NetWitness and former cybersecurity chief at the U.S. Department of Homeland Security. Parts of the botnet discovered by his firm likely are still active. He said the network appears to be run from computers in Eastern Europe and China, but it's not certain the perpetrators are there.

Botnets are networks of poisoned PCs that are remotely controlled by hackers and behave like their criminal robots. The PCs are often infected when their owners visit bad Web sites or open malicious e-mail attachments.

Botnets are a major tool for cybercrime. They help criminals amass troves of stolen data that they can sell on the black market or use for their own schemes, such as yanking money from victims' bank accounts.

The biggest on record is the one created by the Conficker worm. That infected anywhere from 3 million to 12 million PCs running Microsoft Corp.'s Windows operating system and is still active.

The botnet NetWitness discovered used malicious software called "ZeuS" that steals passwords and other online credentials. It's primarily focused on poaching Internet banking credentials and is well known in the security community.

The fact that so many companies and government agencies were hit generally appears to have been incidental. Yoran said the attackers were targeting specific information rather than specific organizations.

Still, they were very successful, snatching more than 68,000 credentials over four weeks. Most of those credentials were login details for Facebook and Yahoo and other personal e-mail services. On the face of it those aren't the most sensitive pieces of information, but they can hold the keys to unlocking other types of online accounts and private data.

Security experts who weren't part of the NetWitness report said the findings illustrate the growing risk from the ZeuS software, whose authors are constantly updating it to evade detection by antivirus software and other security measures.

Don Jackson, researcher with the Counter Threat Unit of SecureWorks, said millions of computers are infected with ZeuS. Perhaps half a million of those are being milked by professional operators running the latest versions of the software.

He said the NetWitness found was a "major threat" but added that the criminals behind it appeared to be using an older version of the software that is easier to detect.

"There are dozens of these types of operations ongoing every day that just aren't named," he said.

A bigger concern, Jackson said, is a new version of ZeuS that has appeared in the last few months and is more powerful and even harder to detect.

One of its features is that it gives a hacker the ability to conduct financial transactions directly from a compromised computer. Otherwise the criminal would have to steal the login credentials and use them on another computer. Some banks have put up extra security measures to detect and stop that.

Explore further: Startups offer banking for smartphone users

4.8 /5 (6 votes)
add to favorites email to friend print save as pdf

Related Stories

Computer forensics links internet postcards to virus

Jul 25, 2009

Fake Internet postcards circulating through e-mail inboxes worldwide are carrying links to the virus known as Zeus Bot, said Gary Warner, director of computer forensics at the University of Alabama at Birmingham (UAB). Zeus ...

Huge computer worm Conficker stirring to life

Apr 09, 2009

(AP) -- The dreaded Conficker computer worm is stirring. Security experts say the worm's authors appear to be trying to build a big moneymaker, but not a cyber weapon of mass destruction as many people feared.

Botnet Hijacking Steals 70GB of Data

May 05, 2009

(PhysOrg.com) -- Security researchers have uncovered one of the most notorious zombie networks, the Torpig botnet, by collecting 70GB of data that was stolen in just 10 days.

Comcast tries pop-up alerts to warn of infections

Oct 10, 2009

(AP) -- Comcast Corp. wants to enlist its customers in a fight against a huge problem for Internet providers - the armies of infected personal computers, known as "botnets," that suck up bandwidth by sending spam and facilitating ...

Tech 101: How a denial-of-service attack works

Jul 08, 2009

(AP) -- Investigators are piecing together details about one of the most aggressive computer attacks in recent memory - a powerful "denial-of-service" assault that overwhelmed computers at U.S. and South Korean ...

Conficker worm digs in around the world

Apr 01, 2009

Computer security top guns around the world watched warily as the dreaded Conficker worm squirmed deeper into infected machines with the arrival of an April 1st trigger date.

Recommended for you

Startups offer banking for smartphone users

Aug 30, 2014

The latest banks are small enough to fit in the palm of your hand. Startups, such as Moven and Simple, offer banking that's designed specifically for smartphones, enabling users to track their spending on the go. Some things ...

'SwaziLeaks' looks to shake up jet-setting monarchy

Aug 29, 2014

As WikiLeaks founder Julian Assange prepares to end a two-year forced stay at Ecuador's London embassy, he may take comfort in knowing he inspired resistance to secrecy in places as far away as Swaziland.

Ecuador heralds digital currency plans (Update)

Aug 29, 2014

Ecuador is planning to create what it calls the world's first digital currency issued by a central bank, which some analysts believe could be a first step toward abandoning the country's existing currency, ...

WEF unveils 'crowdsourcing' push on how to run the Web

Aug 28, 2014

The World Economic Forum unveiled a project on Thursday aimed at connecting governments, businesses, academia, technicians and civil society worldwide to brainstorm the best ways to govern the Internet.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

Mesafina
not rated yet Feb 19, 2010
You can't stop the signal. I for one welcome our new bot overlords.