Kneber Botnet: What You Need to Know Right Now

Security vendor NetWitness recently tapped into the logs of a command-and-control server for a botnet it calls Kneber, which has infected at least 75,000 computers at 2,500 companies and government agencies worldwide. Here are some answers to frequently asked questions about the botnet.

What exactly is the Kneber botnet?

It's a botnet discovered Jan. 26, 2010, by NetWitness that compromised 74,000 computers via the ZeuS Trojan and gathered logon and password information from them. NetWitness announced its discovery Thursday.

Where did it get its name?

The name comes from the registrant for the original domain used to pull together various components of the botnet -- hilarykneber@yahoo.com.

How old is it?

The first activity from it was March 25, 2009.

Is it out of business now?

No. After a command-and-control server for it was traced to Germany, its URL was changed, and it's running just as it was before it was discovered. The data gleaned from the server has been turned over to law enforcement agencies and major companies with employees whose computers were bots have been notified.

What damage can it do?

Individuals whose personal data was mined might suffer financial loss if criminals use the data to transfer funds out of their accounts.

What exactly is the ZeuS Trojan?

ZeuS, also called Zbot, is a very effective cybercrime tool that is routinely updated, made more sophisticated and more stealthy. It can present a different profile in each computer it infects, making it difficult to catch using signatures.

What do cybercriminals use it for?

It's often used to gather user logons and passwords, and injects its own fields into Web pages seeking more detailed information about the user's identity. But it can also steal whatever data is on a computer, can enable remote control of compromised machines and can download other malware. It also periodically uploads what it gathers to command-and-control Web servers.

How dangerous is it?

It is ranked as the most dangerous type of botnet in operation by the security firm Damballa, and 1,313 ZeuS command-and-control servers have been identified by Zeus Tracker. A ZeuS botnet was once used to steal records of people looking for jobs through Monster.com.

Why has it been around for so long?

The bot-creator is constantly upgraded to be less detectable and more flexible. It is encrypted and it adopts rootkit characteristics to hide in infected machines. It is sold for about $4,000 per copy, so there are many cybergangs using it to create botnets that they use for their individual illicit activity.

Is there any hope of stopping it?

Competition may help. A Trojan called SpyEye does much the same thing as ZeuS and comes with a Zeus uninstaller, so if it hits on a machine already enlisted in a ZeuS bot, it can kick out Zeus and claim machine for itself. Of course, the computer is still a bot, just with a different commander.

Subscribe to the Security Watch Newsletter

Comments