This week has witnessed the discovery of a network of zombie computers, controlled through a botnet called “Kneberâ€. According to published sources, some 75,000 computers have been compromised in 2,500 organizations around the world, as well as user accounts on popular social networks. Kneber employs the infamous Zeus Trojan, which first appeared in 2007 and has been infecting computers ever since.
While the uncovering of this network is good news, given the risk to which corporate users have been exposed by having their credentials stolen, this is sadly just the tip of the iceberg. This botnet is not new, and it is not unique. In fact, the number of computers affected is relatively low in comparison with other similar networks. This raises an important question: If security vendors have been aware of this Trojan for so long, what kind of protection must these compromised computers have had, if it could not stop the malware from installing on systems? When we consider that for the most part we are talking about corporate environments, then this is a serious question indeed.
When we reflect on these types of events, it is natural to arrive at some perhaps obvious conclusions; obvious at least to those of us who work in the world of security.
Firstly: What isn’t published, doesn’t exist. We are bombarded with headlines every day, and it’s difficult for the media to distinguish between what’s truly important and what isn’t. It’s only when we start talking about ‘thousands’ of infections that journalists sit up and take notice. Yet stories like this one, which serve to remind users of the need to be protected and aware about Internet security issues, still leave people feeling that these are random, isolated events, even though this is day-to-day stuff for those of us working in the security field.
Secondly: Although as security vendors we work to detect these new threats and offer solutions to our clients, it is not enough. Nowadays, cyber-crime is organized, and has evolved to the point that, as soon as we offer solutions or dismantle networks such as this one, criminals are able, in less than 24 hours, to adapt the code of bots and Trojans and redeploy the network, once again evading security systems. Even as you read this article, there could be a new Kneber botnet in operation, stealing information and credentials from other businesses and users.
So given this scenario, what is more important? To publish news items that will grab the headlines or to collaborate with security forces and administrations in the countries affected in order to shut down the criminals? We’re talking about criminal organizations that earn millions of dollars every month through business models deployed across a channel that offers anonymity and makes it difficult to track down the perpetrators, for a number of reasons: the use of numerous tricks and techniques to steal data; recruiting of ‘money mules’ to do the dirty work and cover the tracks of the real criminals; lack of adequately trained security personnel, and an uncoordinated response from those responsible for security at an international level.
Those working in the industry, public administration and security forces agree that we have to work together to counteract this type of cyber-crime. Yet, at a practical level, this is still far from reality. And it will continue to be so until we are able to make people aware of the real problem at all levels, from businesses and users to governments and institutions, making the task of regulating this issue a priority. This in turn entails making the channels of information to the general public aware that informing and educating about security is a day-to-day job, not simply a question of looking for headlines with anecdotal stories that don’t reflect reality. Only in this way can we switch users on to the true panorama, and jointly work to improve a situation which is steadily worsening.