WSJ-WP-NYT Re-Tell ZeuS Infection for The Masses

WSJ, WP, and NYT Re-Tell ZeuS Infection for The Masses.

In a trio of stories today, the Wall Street Journal, the Washington Post, and the New York Times may have created some traction where corporate security staff have been struggling.  I am certain that many information security leaders in the financial services industry have fallen short in attempts to effectively describe the complexity of the attacks against our organization.  These three versions of the same story may have broken through…

Sure, from the perspective of an IT or information security professional they were a little off on some of the facts, and didn’t include some of what might seem like the most telling technical details, but they just might have gotten through.  For that they deserve some attention.  If you have not done so already, I strongly recommend passing the stories along to leaders in your organizations.  Or better — write your own summary of the source material from NetWitness and ship it as the cover letter to introduce the links.

The botnet discovered by NetWitness is not unique.  Cisco Systems documented the state of Zeus botnets in their 2009 Annual Security Report — mentioning that the Zeus Trojan infected 3.6 million computers worldwide by October 2009.

So what else will you find in the NetWitness report?

The Zeus code was delivered by obfuscated executables.  NetWitness wrote that “this particular malicious executable had less than a 10 percent detection rate among all antivirus products and the botnet communication was not identified by existing intrusion detection systems.” (page 3)

The overwhelming majority of compromised PCs were running Windows XP Professional SP2, with Windows XP Professional SP3, Windows XP Home Edition SP3, and Windows XP Home Edition SP2 (together amounting to more than 95% of all infected PCs). (page 5)

“The data we analyzed contain over 68,000 stolen credentials during a 4-week period.” (page 5)  The data included 75GB representing only a one-month snapshot from an attack that has lasted more than a year.

Not only were 68K username/password pairs stolen, NetWitness wrote that “the ZeuS Trojan allows for the theft of any file that is resident on an infected system, and a common target for this capability are encryption certificates used for access to banking, corporate VPN and other sensitive systems.  There were 1972 unique certificates files in the data set.” (page 6)  So, in nearly 2000 cases, the combination of a login credential and a certificate that identified the corresponding user’s PC were stolen.  Remember the “something you know plus something you have” requirement of entry-level strong authentication, this was a material loss for some number of targeted organizations.

They reported that the most recent activity seemed to have been directed as stealing credentials used with financial services organizations…  “The infected machines were simply scraping information when users communicated…” with the sites listed.  Web sites for most of the major global financial services organizations are listed as being specifically targeted by this attack, including, but not limited to: Citibank, HSBC, Suntrust, Bank of America, Wells Fargo, e-gold, US Bank, TD Canada Trust, National City, Citizens Bank, S3, WaMu, Wachovia, Chase, Barclays, Lloyds, Paypal, and many more.  (see pages 6-7 for the list)

“The attacks are continuing and corporate losses are still being compiled, said Tim Belcher, chief technology officer at Herndon, Virginia-based NetWitness Corp. ” (Jeff Bliss, Business Week)

A range of reporting appears to support that login credentials appear to have material monetary value in the criminal underground, and using this story as an example, criminals are using sophisticated techniques to steal user’s security phrases and corresponding answers as well.

This attack was based on a foundation of luring unsuspecting employees at targeted firms into downloading malicious applications from sites that are either controlled by the hackers or legitimate sites that have been compromised, or by coaxing the users into opening e-mail containing malicious attachments or links to the same (see my discussion of this topic earlier this month).

What can we do?  The usual measures…

  1. Set up users with least privilege on all platforms.
  2. Employ up-to-date AV with heuristics enabled on PCs and on email choke points, and on web proxies.
  3. Ensure that multiple layers of controls are enabled on a network-edge web proxies.
  4. Confirm that application security considerations baked into the full software development life-cycle.
  5. Write and enforce the use of
    1. Minimum security (configuration) standards,
    2. Aggressive vulnerability assessments,
    3. Ongoing configuration monitoring and
    4. Fine-grained configuration management.
  6. Configure enough event logging, and then
    1. Maintain effective event correlation & analysis,
    2. Alarming, and
    3. Multi-level reporting and
    4. Trending.
    5. May also need new categories of monitoring, correlation, alarming, and reporting — for example, excessive login attempts (failed and successful).
  7. Comprehensively protect “internal” identities (user name/password pairs, digital certificates, and anything else used to identify your user base).
  8. Resist the use of internal identities in uncontrolled environments where they are much more likely to be stolen.  This may take some planning and organized roll-out if you have this issue already.
  9. Integrate employee background checking and monitoring into HR processes.
  10. Consider investing in DLP technology.

What did you think was the most important message of the NetWitness-based reporting?


“Broad New Hacking Attack Detected — Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running.” By Siobhan Gorman, Feb 18, 2010,
and then an excellent supporting illustration at:

“More than 75,000 computer systems hacked in one of largest cyber attacks, security firm says.”, By Ellen Nakashima, Feb 18, 2010

“Malicious Software Infects Computers.”, By John Markoff, Feb 18, 2010

The source report — “The ‘Kneber’ BotNet — A ZeuS Discovery and Analysis.”, Feb 17, 2010

“Cisco 2009 Annual Security Report.” and the full report at:

“Newly Discovered Zeus Spinoff Botnet has Wide Impact.”, by Angela Moscaritolo, Feb 18, 2010

“Over 75,000 systems compromised in cyberattack.”, By Jaikumar Vijayan, Feb 18, 2010

“Global Hackers Breached 2,400 Companies, Security Firm Says.”, By Jeff Bliss, Feb 18, 2010


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: