Report: Facebook Served As Primary Distribution Channel For Botnet Army

Internet security company NetWitness has just published a report that reveals an 18-month-long widespread hacker attack on computers worldwide whose topmost method of malware delivery was Facebook. However, while over 3500 Facebook login credentials were stolen, that’s a very tiny percentage given there are over 400 million users of this social media site. Yahoo and Hi5 came in 2nd and 3rd, respectively, for stolen credentials.

A NetWitness engineer found evidence of the hacker operation in late January 2010, while installing security software for a company. Additional evidence suggests that an Eastern European criminal group is possibly behind the attack, and used both German and Chinese computers – the latter because of the ease of operation and reduced chance of detection. As many as 68,000 login credentials — for online banking, social networking sites and email — were stolen from over 2,400 companies and government agencies. The effort likely exposed personal and corporate data and secrets, including credit card transaction info and intellectual property. American companies whose computers were attacked span a range of industries, including entertainment, technology, finance, energy, Internet providers, and education. There’s currently no indication of how much data was stolen or how it was used.

Initially, it’s believed that hackers in Germany started the operation in late 2008 by fooling employees of one organization into clicking on links via contaminated websites, email attachments or “virus cleaning” ads. Part of the also effort involved fooling government officials into installing spyware. Computers at as many as 10 U.S. government agencies were compromised, and even one soldier’s login info was stolen. At least one online credit card payments processing server was accessed. In one case, an employee was involved in allowing hackers to gain access to corporate servers.

After people clicked links, spyware known as ZeuS would be installed onto computers. ZeuS is a “Trojan horse” application that is available to hackers online in both free and paid forms, and works in the Firefox web browser. It’s a common tool for perpetrating malware infections. Despite expert opinions to the contrary, ZeuS appears to be used for more than just stealing online banking information. This was determined by NetWitness when they realized that many (over 50%) of infected computers also had “botnet” software installed, namely one known as Waledac. Breached computers become part of a botnet, and regular antivirus software usually does not detect the intrusion. They turn into “zombie” computers that can be controlled remotely and send sensitive information to hackers on a scheduled basis.

ZeuS infects various Microsoft Windows operating systems. NetWitness found that XP Professional and Home editions were worst affected, with Vista Home editions coming in last. ZeuS scrapes data entered to forms, including login info, bank accounts, SSN numbers. Its ability to do so has nothing to do with how secure a website is, since it acts like a spy from an infected computer.

The operation is still running, and it’s estimated that 75,000 computers in nearly 200 countries have been compromised. The top 5 countries with the highest concentration of infected computers, as shown in the chart above, are Egypt, Mexico, Saudi Arabia, Turkey and United States [source: NetWitness’ whitepaper].

With publication of the NetWitness report, and its findings being supplied to the FBI, companies and agencies claim to be working to contain the problem. More details are available at WSJ Online and a NetWitness press release. For a more indepth look, you can download NetWitness’ 19-page whitepaper on the “Kneber” BotNet after free registration.

Recommended articles