Threat Research

Kneber: Another day at the office

By Derek Manky | February 22, 2010

You have likely heard of the Kneber attacks chronicled by the mass media as of late. Kneber is a botnet, and a very familiar one at that - Zeus. Zeus is a crimeware kit, a do-it-yourself setup which allows any aspiring botnet herders to configure and create their own botnet (referred to as ZBot). The builder will configure the ZBot binary for the client, with its own botnetID/password: thus creating a new variant of ZBot. In fact, there are many active botnets that are spawned by this widely distributed kit. It has become so popular, and accessible, that attacks like this are bound to arise in the numbers: Kneber is merely one of them. The configurations are extensive, the possibilities vast, and consulting services even exist to accelerate the deployment of a new botnet; this falls into the growing trend of Crime as a Service (see my post here on Adaptive Crime Services for more examples on this). Though Kneber certainly poses a problem on its own, the much larger issue is the source of the problem: how such kits and crime services allow these botnets to fluorish. Attacks can deliver payloads (the ZBot virus) from many arenas, not just traditional email.

Zeus is often associated as a banking trojan, but because of its flexible configuration, it is very easy to target any information the attacker wishes. For some examples, including a video demonstrations, please see the detailed analysis of Zeus/ZBot available on our FortiGuard Center. It can easily be configured to steal social networking credentials (we used Facebook as an example in our labs) -- and indeed with Kneber, it has been used for such purposes. For quick reference, here is a screenshot which shows targeted Facebook information reported by ZBot to its controller (left). The form data (username and password) is passed along to view in clear text by the attacker:

SocialZeus_ZBot reports stolen social networking credentials_

This particular botnet was named after the email address used to register a domain used in this attack, though in reality, it is just another recent example of a new ZBot variant active in the wild. Further, infected machines were reported to also have Waledac infections -- another very active spamming botnet. For more information, please see our detailed writeup on Waledac here. This is not a surprise, many machines are multi-infected nowadays, especially when it comes to botnets that are used as "loaders" to download and distribute malware, essentially infrastructure for hire. This is widely the case with the Pushdo and Bredolab botnets which have been active for years. Because of this, it should not be a focus to lock down against one particular attack: in my mind, layered security is a feasible approach to guarding against blended threats, multi-infections and the growing array of attacks we see in cyberspace today. FortiGuard Labs detects Zeus/ZBot network traffic through IPS as "Zeus.Botnet", and guards against ZBot variants such as Kneber through antivirus as well.

Join the Discussion