“Seemingly there is no reason for these extraordinary intergalactical upsets. Only Dr Hans Zarkov formerly at NASA has provided any explanation”*

Stories in the press recently have been aghast at the scale of a “new” botnet called Kneber. According to a report from NetWitness one particular botnet that uses the ZeuS crimeware has successfully infiltrated thousands of corporations and tens of thousands of computers. This is of course terrible news for the companies affected and certainly many corporate security lessons can be learned from experiences such as this.

What is important to point out though is that there is nothing at all that is “new” or “unprecedented” about a botnet using ZeuS or a botnet of this size, ZeuS (or ZBot) has been around since at least 2007. In the online underground ZeuS is the equivalent of commodity crimeware. It is openly traded in online forums both as a software product and as preinfected botnets. Increasingly providers are finding that they must bundle services with their criminal offering, or Crimeware as a Service.

Screen shot from underground forum

Older versions of the software are downloadable free of charge, though these are often backdoored by other criminals. There is no honour among thieves. In fact botnets are in such plentiful supply that the price of preinfected machines is surprisingly low.
 

175 thousand bots for sale... globally.

Of course if you don’t have the means or the desire to run your own botnet, you can always simply buy the output…

I'm a lumberjack and I'm OK. Logs for sale.

A quick look at ZeuS Tracker shows they are tracking almost 1300 command & control servers for various ZeuS botnets of which about half are online right now. They show the average binary detection rate (how your antivirus products detects using pattern files or signatures) is as low as 49.62% which goes some way towards explaining the successful infection rate.
 
It is widely known that malware writers and other criminals have already worked out how to overcome traditional anti-malware protection that relies on pattern or signature updates. They simply roll their code as often as possible, estimates say that we are currently seeing a unique malicious binary every 1.5 seconds.
 
So here’s corporate security lesson number one from this recent publicity…
 
Make sure your anti-malware solution is not relying simply on the infection layer “what the file looks like“; make sure that it is also investigating the exposure layer, “where the file comes from and who the file reports back to“. If ZeuS Tracker knows where the bad guy servers are, so should every one of your endpoints. At that point, what the actual binary looks like becomes a secondary issue.

 
By the way here is a free tool to check if you are a part of a bot network.
 
* With apologies to Roger Miller and Queen