The Kneber botnet - FAQ
Summary: A recently uncovered network of compromised hosts dubbed, the "Kneber botnet", managed to successfully infect 75,000 hosts within over 2,500 organizations internationally.
A recently uncovered network of compromised hosts dubbed, the "Kneber botnet", managed to successfully infect 75,000 hosts within over 2,500 organizations internationally, including Fortune 500 companies as well as Local, State and U.S Federal Government agencies.
How did the botnet managed to stay beneath the radar? Who's behind it? Is it an isolated underground project, or a part of the malicious portfolio of a cybercrime organization diversifying on multiple fronts within the underground marketplace?
Go through the FAQ.
01. Why the name Kneber botnet?
The name Kneber comes from the email used to register the initial domain, used in the campaign - HilaryKneber@yahoo.com. What's particularly interesting about this email, is the fact that it was also profiled in December, 2009's "Celebrity-Themed Scareware Campaign Abusing DocStoc" analysis, linking it to money-mule recruitment campaigns back then.
02. My time is precious. In short, what is the Kneber botnet at the bottom line?
It's a mini Zeus crimeware botnet, one of the most prevalent malicious software that successfully undermining two-factor authentication on the infected hosts (Report: 48% of 22 million scanned computers infected with malware), and is slipping through signatures-based antivirus detection (Modern banker malware undermines two-factor authentication) due to the systematically updated binaries.
03. Who's behind it?
It's a cybercrime syndicate involved in everything from blackhat search engine optimization (blackhat SEO), to client-side exploit serving campaigns, and money mule recruitment campaigns.
04. What were the botnet masters able to steal from the infected hosts?
Surprisingly, in the sense that the Zeus crimeware is exclusively used to steal financial data, and hijack E-banking transactions on-the-fly, in the case of the Kneber botnet, researchers from NetWitness found just 1972 digital certificates, and over 68,000 stolen credentials over a period of 4 days.
05. Is this botnet part of a sophisticated cybercrime enterprise vertically integrating by engaging in multiple fraudulent activities, or is it an isolated underground project?
The Kneber botnet is anything but an isolated project, with the individual/group of individuals managing it already connected to numerous malicious campaigns analyzed over the last couple of months. Here are some interesting facts about their activities:
- The name servers used in December, 2009's DocStoc scareware campaign, were registered using the same email used to register the client-side exploit serving domains part of the Koobface gang's experiment conducted in November, 2009. Parked on the same IP hosting the domain which was serving the malware in the campaign, was also the a domain registered to HilaryKneber@yahoo.com (search-results .cn) Even more interesting is the fact that the emails used to registered the rest of the domains parked at this IP, are also known to have been used in registering money mule recruitment domains (Standardizing the Money Mule Recruitment Process; Keeping Money Mule Recruiters on a Short Leash)
- According to the report, the email HilaryKneber@yahoo.com itself was also used to registered a money mule recruitment company known as 24 Hour Express Service
- The report further establishes a connection between the Waledac botnet and this mini Zeus botnet, with the two malware families found simultaneously on the same hosts. An excerpt from the report: "One very interesting observation is that more than half of the ZeuS bots are logging traffic from additional infections on the same host that are indicative of Waledac command and control traffic. Waledac is a peer-to-peer spamming botnet that is often used as a delivery mechanism for additional malware. Additional analysis needs to be conducted, but this raises the possibility of direct enterprise-to-enterprise communication of Waledac bot peers in addition the existing C2 traffic from the Zeus botnet."
- This isn't the first time Waledac connection is established between different botnets - "Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?"; "Walking Waledac"; "..Conficker downloading the Waledac e-mail worm onto the infected systems"; "..Downad/Conficker box was trying to access a known Waledac domain"
06. What's so special about it?
It's the fact that despite the crimeware's advanced E-banking sessions hijacking, the primary objective of their campaign -- at least based on the sample analyzed by NetWitness researchers -- was to steal social networking credentials.
Moreover, the Kneber botnet is a good example of an ongoing trend aiming to build and maintain beneath the radar botnets (Research: Small DIY botnets prevalent in enterprise networks; Inside the botnets that never make the news - A Gallery; Aggregate-and-forget botnets for DDoS extortion attacks)
And while NetWitness is logically not offering insight into which companies were most affected, but the usual vertical market data, based on 74,000 infected PCs at nearly 2,500 organization, we can assume a proportional scenario with 29.6 infected hosts per company, representing your typical small DIY botnet.
07. What's the OS breakdown of the infected hosts?
The top five affected operating system versions based on the data presented by NetWitness are: XP Professional SP 2, followed by XP Professional SP 3, XP Home Edition SP 3, XP Home Edition SP2 and Vista Home Edition SP 2.
When discussing botnets in general, it's important to keep in mind that botnets aggregated by using the Zeus crimeware, are not the same type of botnets like Conficker, Pushdo or Koobface which rely exclusively on "proprietary malware code". In compassion, due to the fact that Zeus is a DIY (do-it-yourself) type of crimeware, it allows potential cybercriminals to literally generate crimeware variants on their own.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
How does the infection compare with the market?
They're gross, not per capita.
Only on Windows machines
Windows is a great OS as long as you do not use it onlne.
Bull
There must be a reason why Linux can't seem to take off?
Anyway note no Windows 7 systems are compromised by this nasty botnet?
Who still uses XP-SP2 ? ?? ??? Come on. The Microsoft splash for XP says Copyright (C) 1985-2001.
Are we not in 2010?
[i]~~~~~~~~~~
Today, don't let yesterday spoil tomorrow.
~ Jonathan Cainer[/i]
Apparently, a LOT of people are still using XP-SP2!
The data has apparently been collected from over 2,500 companies. None of which seems to have rolled out Windows 7 yet.
Laugh test
Windows is insecure by design.
Is it?
Thanks! I'm really eager to benefit from the research you've personally carried out to come to this conclusion!
Learn for yourself
On a monolithic system, a small coding error in a user app can become a large error further down the software stack, as the whole stack is complied.
On a modular system, a small coding error in a user app will result the user app not working with other modules further down the stack, forcing the coder to fix the small error.
For example, IE includes a web browser and the top 3 levels of the TCP/IP stack, so a small error in the browser can become a security hole in the IP layer of TCP/IP stack.
I know, you are going to say IE doesn't include the top 3 layers of the TCP/IP stack. It can now be uninstalled. Sorry, it does, as uninstalling IE, at most, removes only iexplore.exe, not all the other exes, dlls, etc.
But don't take my word for it. Here's an experiment you can do yourself.
1)Build a Windows virtual machine, any Windows, even Win 7. Do it on a VM because the system will be require a complete re-install by the end of the experiment.
2)Update to the latest version of IE.
3)Find the log for the IE update.
4)Restart in safe mode and delete all files listed in the IE update log.
5)Reboot, or rather, try to reboot.
This will show, with no doubt, that at a minimum your system will no longer have a IP address, and at a maximum, will fail to boot at all because the OS will be missing required files.
The exact same experiment on Linux, substituting FireFox for IE, of course, will result in a perfectly usable system, sans web browser.
This is just one example of the inherit insecure nature of monolithic vs. modular software design.
Hey...
FYI, what you're seeing in the pie chart (which you may not have seen in the article, who knows) is kind of oddly close to the usage rates of the various OS versions in the enterprise. My take from that is, that if it's there, the botnet will go after it, well, if it's windows.
That old 'market share' chesnut again?
Fort Knox is very secure, right? But according to the Windows apologists, if we build another 10,000 Fort Knoxs to the same design, each Fort Knox will become less secure, simply because there are more of them. By the time we get up to a few million Fort Knox's, according to the Windows apologists, breaking into Fort Knox will have become as easy as , well, compromising Windows software with malware.
The same argument can be used for front doors. if you fit a high security front door to your house, you will prevent intruders getting in. If every person in your street fits them, every person in the street prevents intruders. this scales up as much as you like. If everybody used 'Fort Knox' front doors, everyone would be safe.
Only Windows apologists are still pretending that increasing the number of instances of an inherently secure system, cause thatsystem to become less secure. It's PR tommy rot.
As per my comment gertruded...
Thanks!
That would be an awesome analogy
If you said that some of the Fort Knox's we guarded by civilians instead of soldiers, then you would have something there.
Fort Knox is not insecure, but someone does have to open the doors.
If user input did not exist, neither would most malware, especially the socially engineered type.
The more laymen start using Linux, it is a guarantee that not only would more vulnerabilities be found and patched, more laymen would get compromised.
The long sought Pax Romana of internet security that people pretend will come about if Linux becomes more than just for hobbyists, including me, is overblown.
$ sudo apt-get install truth
Would be true if it was so - but that is not the world we live in
[i]If Linux had the same market share as Windows (92%) instead of the
pitiful (1%) after 18 years in existence, it would be the one being
hacked.[/i]
Since the world is the way it is - and Windows is 92% market share,
Linux is safer - so the advice holds.
Saying that if the world was different the statement would be false, so
therefore it is false - that is just stupid.
I do not shoot myself in the head saying that if more people used
guns I wouldn't have enough ammo to kill myself.
You choose to use what is bad now because later the alternative may
just be equally as bad, if you are lucky.
And you continue to give bad advice and push your point in the face of
the reality which is true even by your own statistics.
Market Share Again
Microsoft leveraging off its market share gets its acolytes and drones to spout the market share means more attacks and hence more successful attacks mantras. But repetition, however vehement does not make something true, or even plausible. Good journalists know that, and IT professionals that have worked in more than one operating system environment know that.
Here are some counter examples.
1.Microsoft IIS is not anything like the majority of the web server market. Here are three prominent sites that have failed recently, MySchool, CFA and Myki. All run IIS. Name three apache2 based server sites of the same criticality that have failed or been compromised.
2.Microsoft server variants are not anything like the majority of severs out there, especially if one removes stray false instances, or calculates on the basis of population served rather than number of servers. They do, however constitute the majority of the compromises, see CERT.
We do not pull punches naming Toyota for making faulty cars, why do we pull back on Microsoft for making flawed operating systems?
What is WinTard afraid of?
OS X as you keep blogging the same argument about market share in
response to the virus issue to both?
If you are right then it will be a great day for you and all the other
Windows users when the virus writers move more of their efforts to OS
X and Linux, thereby reducing the attacks on WIndows.
So are you afraid that your platform will get less attacks by malware?
Or is it the market share change that is worrying you?
Are you for some reason going to be personally harmed by more Linux
and OS X machines out there?
Which is more of a worry for you - less malware coming your way, or
less Windows users?
One of these is playing on your mind!!! Or your bank account!!!
Good question
OS X as you keep blogging the same argument about market share in
response to the virus issue to both?[/i]
I've been asking that on zdnet for awhile now and nobody from the Wintel side can come up with any plausible answers.
With Apple & Linux marketshare only at 9% and 1% respectively (based on the figures they like to spew around), one wonders what they feel so threatened about to begin with...
they fear what they do not understand
End of the day, big boss shows up and says "were you able to recover the data on that drive I gave you? We fired one of the network engineers and all his work was on that drive. Oh I forgot to mention his windows looked really different it only showed a penguin when we booted it up, a bunch of text scrolled by and some strange login window was present"
Wintard says "be done within the hour" and proceeds to update his resume...
lol
LOL.. Good one - - - Or the story about...
If he wasn't such a dick about it, somebody would've told him...
;)
This story brought to you by: Microsoft Windows - Insecure by Design
to be fair, insecure by default
What is shocking is, that corporate IT will allow SP2 to actually run on their networks. I mean the users alone have an excuse to be clueless... But when the staff allows it that is pitiful.
Another shocker, is that vista - with all its "improved security", is on the list... Which does go to show, that the problem can be traced to PEBCAK or id-10-t errors. A secure OS is only as secure as the user's habits.