12:13 PM
Connect Directly

Q&A: Alex Cox, Discoverer of Today's Massive Botnet Attack

Data security expert Alex Cox tells how banks can protect themselves against the Kneber botnet he discovered that the Wall Street Journal announced today, that has infected 75,000 computers at 2,500 organizations around the world, and that is still active.

You may have seen the story in today's Wall Street Journal or the news we ran this morning on the website about the massive, coordinated botnet attack NetWitness uncovered that's compromised computers at 2,500 organizations, some of which are financial institutions. We were fortunate to get an exclusive interview this morning with Alex Cox, who discovered the attack and is principal analyst at NetWitness. We asked Cox what can banks do to prevent such attacks and block criminals who have stolen credentials via this type of botnet from using them to do online banking, credit card payments and other bank transactions.

BS&T: It seems our readers have two major worries here: (a) have any of their servers been affected by the Kneber botnet and (b) are criminals using these stolen credentials to access online banking applications, credit card systems, etc. Can you give us a sense of how many financial institutions have been affected by the Kneber botnet so far?

Cox: I don't have any specific numbers of financial institutions, there are a few. Zeus, this particular family of botnet, is a huge issue for online banking fraud. In a previous job at a bank, we responded to many Zeus infections on customers' machines, and without a doubt these machines and others like them are being used at every bank for online fraud. In the white paper we wrote, there's a huge list of banks that have been targeted by this type of malware. All the big banks are represented.

BS&T: So this is not a brand-new type of incident. Is it larger than incidents you've seen in the past?

Cox: In the grand scheme of things, compared to botnets that have been reported in the past, 75,000 hosts is not a big one, we've seen million-host botnets. But what's unusual about this attack is that it targeted a wide variety of credentials, including banking credentials but also including Facebook and other social networking, email, and identity information such as credit card numbers and Social Security numbers. That makes sense because they want to propagate their malware on as many boxes as possible.

BS&T: Do you know who instigated this attack?

Cox: We don't have specific data on that, attribution to a person is very difficult when you're talking about a global network of compromises and command-and-control structures. What we do know is that there are some commonalities to how the domain names were registered. One of the things that led us to discover the initial malware download is when we looked up the registry information on several online domain registry services, we noticed that there was a single email address,, represented on a number of sites. So we were able to say we know this person is doing something bad with this one server, and when I look at all these other servers where he's registered, he's doing bad stuff on those as well. Then when I cross reference those servers, I come up with another list of email addresses that are related and registered among those servers. So it went from this one registration to a big net of unique IDs. The server locations were global, there were some in China, some in Eastern Europe, some in Panama, some in the U.S., so it shows a concerted, global criminal effort.

BS&T: What can banks do to prevent botnets from accessing their systems?

Cox: Even though a 75,000-node botnet is not huge, most breaches in the past two years have started with a single PC being compromised. Once a criminal has a PC inside your network, he can then pivot off of that PC to other machines and extend his reach inside your network. So even if you're on this list and have only one bot, that one bot could be the key to the castle. They can then use that to get further in and do a massive, Heartland-class break-in.

BS&T: So you have a list of every company that's been affected?

Cox: We have IP and organization information on the hosts that were involved in this timeframe. We're not releasing that information to the public because we don't want to harm these organizations, but we are working with law enforcement and we're notifying victimized organizations that they have an issue.

BS&T: You mentioned that the criminals can start with one PC. That implies that banks need to be ultra careful with every computer in their organization.

Cox: Yes. Ultimately, what they really need to be concerned about is that their current security technologies — their antivirus software, their firewalls — aren't really working anymore, 10 years ago they worked pretty well, now the miscreants have discovered that they can beat these security technologies everybody has deployed. Technology like NetWitness's [a deep-packet inspection, session reconstruction and network forensics system] allows you to get a view of your network on a grand scale so you can start identify bad behavior, such as an executable from a server in the Ukraine that has a .jpg extension to make it look like a picture, that you need to look at more closely, that antivirus software may not detect. You need to watch your networks proactively and look for these things the bad guys are doing.

BS&T: Now that all this information has been stolen, how do banks prevent people from using these stolen credentials to do online banking or other financial transactions?

Cox: One of the most effective techniques I've used at a previous job at a bank was using publicly available blacklist information, where a security researcher has determined which IP addresses have been infected — a lot of security research firms publish blacklist feeds — and applying that to our network monitoring. The thing with Zeus that's really scary is that the miscreants have the ability to remote-control the PC. So where a bank might be able to catch a Zeus-infected machine logging in from the Ukraine, where the user connected from Charlotte, N.C. the last 10 times, now the Zeus-powered criminal can steal the user's credentials and remote control his PC, looking exactly like the user. The blacklist gets you past that.

BS&T: It seems odd that Egypt and Mexico were most heavily targeted, then Saudi Arabia, then Turkey, then the U.S. Why do you think that is? Is this attack politically motivated?

Cox: I don't think it's political, the criminals probably wanted to cast as wide a net as possible. Also, the sophistication of the computer networks and security technologies in some of those countries is not as high as in the U.S. or Europe.

BS&T: Is there anything banks should be telling their customers about this and how to protect their own computers, especially if they do online banking?

Cox: Yes. Typically one of the things Zeus does is inject form elements into banking web pages. For example, I'll go to a bank's web site, log in and it will ask for my user name and password. The way that Zeus steals information is it will add a couple of form elements, so not only will you have a user name and password field, you'll also have a credit card number and CCV code field. That's Zeus saying, "give me this information." So the customer should be aware that when they see form elements that they haven't seen before, they should immediately call their bank; that's a pretty good indication that something is going on. And they should surf safely, keep their antivirus software up to date and their machine patched.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.