February 22, 2010, 12:14 PM — Of the nearly 2,500 companies worldwide that have been affected by the Kneber botnet , 374 of them are U.S.-based organizations, according to NetWitness Corp., the company that uncovered the botnet attack last month.
The list of compromised entities in the U.S includes Fortune 500 companies, local, state and federal government agencies, energy companies, ISPs and educational institutions. A total of nearly 75,000 computers worldwide are believed to have been compromised by the botnet, according to NetWitness.
A 75GB cache of stolen data shows that the botnet, which is a variant of Zeus , has been used to steal a wide range of information, including tens of thousands of login credentials -- mainly for financial accounts. The recovered data appears to be one month's worth of information from the botnet's command-and-control servers NetWitness said.
In addition to banking information, the Kneber bot also appears to be designed to harvest other kinds of information, suggesting that Zeus is being put to broader uses than just stealing banking credentials.
NetWitness has so far refused to identify the companies whose machines have been compromised in the worldwide attack. But the Wall Street Journal listed Merck & Co., Cardinal Health Inc., Paramount Pictures and Juniper Networks Inc. as four companies that had been affected.
Alex Cox, the principal analyst at NetWitness who discovered the Kneber bot, said today that not all of the companies affected by it were victims of a targeted attack. In some cases, enterprise systems were compromised as a result of drive-by downloads; in other cases, companies appear to have been targeted by spear-phishing campaigns designed to get individuals to open e-mails with malicious links and attachments.
That suggests that the botnet is being used by multiple groups with different objectives in mind, Cox said.
The data uncovered by NetWitness involved Kneber botnet activity between December 2009 and last month and shows that, in many cases, systems were compromised via a since-patched vulnerability affecting Adobe's PDF reader , Cox said.