You may have seen the story in today's Wall Street Journal or the news we ran this morning on the www.banktech.com website about the massive, coordinated botnet attack NetWitness uncovered that's compromised computers at 2,500 organizations, some of which are financial institutions. We were fortunate to get an exclusive interview this morning with Alex Cox, who discovered the attack and is principal analyst at NetWitness. We asked Cox what can banks do to prevent such attacks and block criminals who have stolen credentials via this type of botnet from using them to do online banking, credit card payments and other bank transactions.
BS&T: It seems our readers have two major worries here: (a) have any of their servers been affected by the Kneber botnet and (b) are criminals using these stolen credentials to access online banking applications, credit card systems, etc. Can you give us a sense of how many financial institutions have been affected by the Kneber botnet so far?
Cox: I don't have any specific numbers of financial institutions, there are a few. Zeus, this particular family of botnet, is a huge issue for online banking fraud. In a previous job at a bank, we responded to many Zeus infections on customers' machines, and without a doubt these machines and others like them are being used at every bank for online fraud. In the white paper we wrote, there's a huge list of banks that have been targeted by this type of malware. All the big banks are represented.
BS&T: So this is not a brand-new type of incident. Is it larger than incidents you've seen in the past?
Cox: In the grand scheme of things, compared to botnets that have been reported in the past, 75,000 hosts is not a big one, we've seen million-host botnets. But what's unusual about this attack is that it targeted a wide variety of credentials, including banking credentials but also including Facebook and other social networking, email, and identity information such as credit card numbers and Social Security numbers. That makes sense because they want to propagate their malware on as many boxes as possible.
BS&T: Do you know who instigated this attack?
Cox: We don't have specific data on that, attribution to a person is very difficult when you're talking about a global network of compromises and command-and-control structures. What we do know is that there are some commonalities to how the domain names were registered. One of the things that led us to discover the initial malware download is when we looked up the registry information on several online domain registry services, we noticed that there was a single email address, firstname.lastname@example.org, represented on a number of sites. So we were able to say we know this person is doing something bad with this one server, and when I look at all these other servers where he's registered, he's doing bad stuff on those as well. Then when I cross reference those servers, I come up with another list of email addresses that are related and registered among those servers. So it went from this one registration to a big net of unique IDs. The server locations were global, there were some in China, some in Eastern Europe, some in Panama, some in the U.S., so it shows a concerted, global criminal effort.
BS&T: What can banks do to prevent botnets from accessing their systems?
Cox: Even though a 75,000-node botnet is not huge, most breaches in the past two years have started with a single PC being compromised. Once a criminal has a PC inside your network, he can then pivot off of that PC to other machines and extend his reach inside your network. So even if you're on this list and have only one bot, that one bot could be the key to the castle. They can then use that to get further in and do a massive, Heartland-class break-in.
BS&T: So you have a list of every company that's been affected?
Cox: We have IP and organization information on the hosts that were involved in this timeframe. We're not releasing that information to the public because we don't want to harm these organizations, but we are working with law enforcement and we're notifying victimized organizations that they have an issue.
BS&T: You mentioned that the criminals can start with one PC. That implies that banks need to be ultra careful with every computer in their organization.
Cox: Yes. Ultimately, what they really need to be concerned about is that their current security technologies — their antivirus software, their firewalls — aren't really working anymore, 10 years ago they worked pretty well, now the miscreants have discovered that they can beat these security technologies everybody has deployed. Technology like NetWitness's [a deep-packet inspection, session reconstruction and network forensics system] allows you to get a view of your network on a grand scale so you can start identify bad behavior, such as an executable from a server in the Ukraine that has a .jpg extension to make it look like a picture, that you need to look at more closely, that antivirus software may not detect. You need to watch your networks proactively and look for these things the bad guys are doing.
BS&T: Now that all this information has been stolen, how do banks prevent people from using these stolen credentials to do online banking or other financial transactions?
Cox: One of the most effective techniques I've used at a previous job at a bank was using publicly available blacklist information, where a security researcher has determined which IP addresses have been infected — a lot of security research firms publish blacklist feeds — and applying that to our network monitoring. The thing with Zeus that's really scary is that the miscreants have the ability to remote-control the PC. So where a bank might be able to catch a Zeus-infected machine logging in from the Ukraine, where the user connected from Charlotte, N.C. the last 10 times, now the Zeus-powered criminal can steal the user's credentials and remote control his PC, looking exactly like the user. The blacklist gets you past that.
BS&T: It seems odd that Egypt and Mexico were most heavily targeted, then Saudi Arabia, then Turkey, then the U.S. Why do you think that is? Is this attack politically motivated?
Cox: I don't think it's political, the criminals probably wanted to cast as wide a net as possible. Also, the sophistication of the computer networks and security technologies in some of those countries is not as high as in the U.S. or Europe.
BS&T: Is there anything banks should be telling their customers about this and how to protect their own computers, especially if they do online banking?
Cox: Yes. Typically one of the things Zeus does is inject form elements into banking web pages. For example, I'll go to a bank's web site, log in and it will ask for my user name and password. The way that Zeus steals information is it will add a couple of form elements, so not only will you have a user name and password field, you'll also have a credit card number and CCV code field. That's Zeus saying, "give me this information." So the customer should be aware that when they see form elements that they haven't seen before, they should immediately call their bank; that's a pretty good indication that something is going on. And they should surf safely, keep their antivirus software up to date and their machine patched.