Botnets are bad for business, and that's the bottom line. The news that a botnet called Kneber has infected 75,000 computers including government and business machines has been spreading online. But while many, if not most, of these reports are claiming that Kneber is a new botnet the truth is that actually it is nothing of the sort. Not that the revelation that Kneber is actually just another Zeus variation will be of any comfort to those who have fallen victim to the thing, of course. Victims such as, according to security outfit NetWitness which first reported the outbreak, the 68,000 stolen corporate logins for example, or the 2000 SSL certificate files, or how about the "dossier-level data sets on individuals including complete dumps of entire identities from victim machines" for that matter.
"The reason some folks have nicknamed it Kneber is that the malware domains involved in this particular branch of the Zeus botnet have "Hilary Kneber" listed as the domain registrant. Of course, Hilary Kneber is likely a completely made-up name" comments Mary Landesman, senior security researcher at ScanSafe. The Zeus botnet has been active on the Web for over a year. In its 1Q08 Global Threat Report, ScanSafe reported on the surge of Zeus-related activity via the Web and specifically it's joining forces with the LuckySploit framework. Zeus malware is known for browser traffic sniffing, intercepting POST data and keystrokes associated with the active browser session, as well as clipboard data passed to the browser. Worryingly, Zeus malware also typically disables firewalls and other security software on infected systems, as well as blocking access to security vendor websites and services. For example, Zeus can prevent antivirus signatures from being updated putting companies at major risk of infection. Zeus Trojans also employ rootkits to remain hidden on infected systems.
Whatever you call it, this botnet is bad for business. In 2009, for example, malware associated with Zeus alone accounted for one percent of all the ScanSafe Web malware blocks during the year.
Discussing the importance of the "Kneber botnet" Amit Yoran, CEO of NetWitness and former Director of the National Cyber Security Division, said, "While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet. These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew quietly and diligently target and compromise thousands of government and commercial organizations across the globe. Conventional malware protection and signature based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats. Organizations which focus on compliance as the objective of their information security programs and have not kept pace with the rapid advances of the threat environment will not see this Trojan until the damage already has occurred. Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks".