Investigators said they discovered a 75GB cache, believed to be a hacker drop site tied to the Zeus infections. The cache contained the stolen data from more than 74,000 Zeus infected systems. The hacker files, a one month dump of data from mid-December to mid-January, were discovered Jan. 26 during a routine evaluation of a corporate network. Alex Cox, a principal analyst at NetWitness and researcher who discovered the cache, said he traced a malware download from the corporate network back to a server in Germany, which was left unprotected by the cybercriminals.
NetWitness named the infected PCs tied to the latest wave of Zeus attacks the Kneber botnet. Zeus collected extensive data from individuals at commercial and government systems, including 68,000 corporate login credentials, 2,000 SSL certificate files, and usernames and passwords for online banking sites and social networks. The most common stolen account credentials were usernames and passwords to Yahoo email and Facebook accounts.
"There was a lot of indication that they had the vacuum cleaner turned on and were sucking up whatever the user was browsing to," Cox said in an interview with SearchSecurity.com.
In some cases, Cox said the data dumps represented complete victim identities. Zeus is capable of stealing the protected store of a person's PC. The protected store typically captures data entered into online forms such as names, dates of births, addresses and other sensitive information. There was also an indication that the data cache was still an active drop site for the hackers at the time of the discovery. The cache was taken down by the cybercriminals shortly after they discovered Cox accessing the data.
More alarming, said Cox, is that the Zeus Trojan variant used in the latest attacks had a detection rate of less than 10% among antivirus software. The botnet communication was also shielded from detection by existing intrusion detection systems.
"This is not about a single piece of malware on 75,000 machines, it's about how bad the security industry is responding to these incidents and how bad the problem is," Cox said.
The cybercriminals exploited vulnerabilities in Adobe Flash as well as holes in Adobe Reader and Acrobat using malicious PDF applications in spear phishing attacks, according to Cox. They also used exploit kits to set up drive-by attacks to infect victims.
Attacks at corporate endpoints
The attacks were tied to nearly 2,500 companies and 10 U.S. government agencies. A report in The Wall Street Journal said pharmaceutical giant Merck & Co., Cardinal Health Inc., Paramount Pictures and Juniper Networks Inc. had endpoint machines targeted in the attack. Both companies said the attacks were isolated to endpoint machines.
NetWitness said an analysis of the data determined the compromised machines were located in nearly 200 countries, with the largest number of machines located in Egypt, Mexico, Saudi Arabia, Turkey and the United States. The infected computers were running Microsoft Windows XP or Windows Vista.
Some Windows servers and embedded systems were also infected. Cox said he discovered about 100 instances of corporate server compromises. It's unclear if the infected server file systems were shared servers. The infected embedded systems could be data stolen from kiosks and other small terminals, including ATMs.
Researchers have been tracking the Zeus Trojan for several years. The malware is believed to be driven by eastern European cybercriminal gangs. More than 150 variants of Zeus are spreading in the wild and many automated crimeware kits sold on hacker websites contain the Zeus malware.