The Kneber botnet - FAQ

The Kneber botnet - FAQ

Summary: A recently uncovered network of compromised hosts dubbed, the "Kneber botnet", managed to successfully infect 75,000 hosts within over 2,500 organizations internationally.


A recently uncovered network of compromised hosts dubbed, the "Kneber botnet", managed to successfully infect 75,000 hosts within over 2,500 organizations internationally, including Fortune 500 companies as well as Local, State and U.S Federal Government agencies.

How did the botnet managed to stay beneath the radar? Who's behind it? Is it an isolated underground project, or a part of the malicious portfolio of a cybercrime organization diversifying on multiple fronts within the underground marketplace?

Go through the FAQ.

01. Why the name Kneber botnet?

The name Kneber comes from the email used to register the initial domain, used in the campaign - What's particularly interesting about this email, is the fact that it was also profiled in December, 2009's "Celebrity-Themed Scareware Campaign Abusing DocStoc" analysis, linking it to money-mule recruitment campaigns back then.

02. My time is precious. In short, what is the Kneber botnet at the bottom line?

It's a mini Zeus crimeware botnet, one of the most prevalent malicious software that successfully undermining two-factor authentication on the infected hosts (Report: 48% of 22 million scanned computers infected with malware), and is slipping through signatures-based antivirus detection (Modern banker malware undermines two-factor authentication) due to the systematically updated binaries.

03. Who's behind it?

It's a cybercrime syndicate involved in everything from blackhat search engine optimization (blackhat SEO), to client-side exploit serving campaigns, and money mule recruitment campaigns.

04. What were the botnet masters able to steal from the infected hosts?

Surprisingly, in the sense that the Zeus crimeware is exclusively used to steal financial data, and hijack E-banking transactions on-the-fly, in the case of the Kneber botnet, researchers from NetWitness found just 1972 digital certificates, and over 68,000 stolen credentials over a period of 4 days.

05. Is this botnet part of a sophisticated cybercrime enterprise vertically integrating by engaging in multiple fraudulent activities, or is it an isolated underground project?

The Kneber botnet is anything but an isolated project, with the individual/group of individuals managing it already connected to numerous malicious campaigns analyzed over the last couple of months.  Here are some interesting facts about their activities:

06. What's so special about it?

It's the fact that despite the crimeware's advanced E-banking sessions hijacking, the primary objective of their campaign -- at least based on the sample analyzed by NetWitness researchers -- was to steal social networking credentials.

Moreover, the Kneber botnet is a good example of an ongoing trend aiming to build and maintain beneath the radar botnets (Research: Small DIY botnets prevalent in enterprise networks; Inside the botnets that never make the news - A Gallery; Aggregate-and-forget botnets for DDoS extortion attacks)

And while NetWitness is logically not offering insight into which companies were most affected, but the usual vertical market data, based on 74,000 infected PCs at nearly 2,500 organization, we can assume a proportional scenario with 29.6 infected hosts per company, representing your typical small DIY botnet.

07. What's the OS breakdown of the infected hosts?

The top five affected operating system versions based on the data presented by NetWitness are: XP Professional SP 2, followed by XP Professional SP 3, XP Home Edition SP 3, XP Home Edition SP2 and Vista Home Edition SP 2.

When discussing botnets in general, it's important to keep in mind that botnets aggregated by using the Zeus crimeware, are not the same type of botnets like Conficker, Pushdo or Koobface which rely exclusively on "proprietary malware code". In compassion, due to the fact that Zeus is a DIY (do-it-yourself) type of crimeware, it allows potential cybercriminals to literally generate crimeware variants on their own.

Topics: Security, Microsoft, Windows

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How does the infection compare with the market?

    Do the relative infection percentages by OS reflect the percentages that the same OSs have in the market? I'm thinking that (say) XP Home SP2 isn't really more secure than XP Professional SP2, for example ;-) .
    • They're gross, not per capita.

      As gamers start being forced to upgrade from Windows XP or Windows Vista or Windows 7 to play their new games, the pie chart will change accordingly.
  • Only on Windows machines

    This botnet only affects Windows OS. Use Linux on line.

    Windows is a great OS as long as you do not use it onlne.
    • Bull

      If Linux had the same market share as Windows (92%) instead of the pitiful (1%) after 18 years in existence, it would be the one being hacked.

      There must be a reason why Linux can't seem to take off?

      Anyway note no Windows 7 systems are compromised by this nasty botnet?

      Who still uses XP-SP2 ? ?? ??? Come on. The Microsoft splash for XP says Copyright (C) 1985-2001.

      Are we not in 2010?

      Today, don't let yesterday spoil tomorrow.
      ~ Jonathan Cainer[/i]
      • Apparently, a LOT of people are still using XP-SP2!

        You did read the article, didn't you? And look at the big, pie-chart?

        The data has apparently been collected from over 2,500 companies. None of which seems to have rolled out Windows 7 yet.
      • Laugh test

        your market share argument does not pass the laugh test, no one buys that anymore.

        Windows is insecure by design.
        • Is it?

          Can you tell me specifically why Windows - and I presume you're going to break down the differences between XP, Vista and W7 - is insecure by design?

          Thanks! I'm really eager to benefit from the research you've personally carried out to come to this conclusion!
          Sleeper Service
          • Learn for yourself

            Windows is monolithic, Linux is modular.
            On a monolithic system, a small coding error in a user app can become a large error further down the software stack, as the whole stack is complied.
            On a modular system, a small coding error in a user app will result the user app not working with other modules further down the stack, forcing the coder to fix the small error.

            For example, IE includes a web browser and the top 3 levels of the TCP/IP stack, so a small error in the browser can become a security hole in the IP layer of TCP/IP stack.
            I know, you are going to say IE doesn't include the top 3 layers of the TCP/IP stack. It can now be uninstalled. Sorry, it does, as uninstalling IE, at most, removes only iexplore.exe, not all the other exes, dlls, etc.

            But don't take my word for it. Here's an experiment you can do yourself.
            1)Build a Windows virtual machine, any Windows, even Win 7. Do it on a VM because the system will be require a complete re-install by the end of the experiment.
            2)Update to the latest version of IE.
            3)Find the log for the IE update.
            4)Restart in safe mode and delete all files listed in the IE update log.
            5)Reboot, or rather, try to reboot.

            This will show, with no doubt, that at a minimum your system will no longer have a IP address, and at a maximum, will fail to boot at all because the OS will be missing required files.

            The exact same experiment on Linux, substituting FireFox for IE, of course, will result in a perfectly usable system, sans web browser.

            This is just one example of the inherit insecure nature of monolithic vs. modular software design.
      • Hey...

        You forgot the around 5% of Macs that are out there. Ergo, I'm offended :P

        FYI, what you're seeing in the pie chart (which you may not have seen in the article, who knows) is kind of oddly close to the usage rates of the various OS versions in the enterprise. My take from that is, that if it's there, the botnet will go after it, well, if it's windows.
      • That old 'market share' chesnut again?

        I like to deploy the 'Fort Knox' argument to show the paucity of the 'marketshare' defence.

        Fort Knox is very secure, right? But according to the Windows apologists, if we build another 10,000 Fort Knoxs to the same design, each Fort Knox will become less secure, simply because there are more of them. By the time we get up to a few million Fort Knox's, according to the Windows apologists, breaking into Fort Knox will have become as easy as , well, compromising Windows software with malware.

        The same argument can be used for front doors. if you fit a high security front door to your house, you will prevent intruders getting in. If every person in your street fits them, every person in the street prevents intruders. this scales up as much as you like. If everybody used 'Fort Knox' front doors, everyone would be safe.

        Only Windows apologists are still pretending that increasing the number of instances of an inherently secure system, cause thatsystem to become less secure. It's PR tommy rot.
        • As per my comment gertruded...

          ...please give me YOUR reasons for why Windows is insecure.

          Sleeper Service
        • That would be an awesome analogy

          if it was complete.

          If you said that some of the Fort Knox's we guarded by civilians instead of soldiers, then you would have something there.

          Fort Knox is not insecure, but someone does have to open the doors.

          If user input did not exist, neither would most malware, especially the socially engineered type.

          The more laymen start using Linux, it is a guarantee that not only would more vulnerabilities be found and patched, more laymen would get compromised.

          The long sought Pax Romana of internet security that people pretend will come about if Linux becomes more than just for hobbyists, including me, is overblown.

          $ sudo apt-get install truth
      • Would be true if it was so - but that is not the world we live in

        @ WinTard

        [i]If Linux had the same market share as Windows (92%) instead of the
        pitiful (1%) after 18 years in existence, it would be the one being

        Since the world is the way it is - and Windows is 92% market share,
        Linux is safer - so the advice holds.

        Saying that if the world was different the statement would be false, so
        therefore it is false - that is just stupid.

        I do not shoot myself in the head saying that if more people used
        guns I wouldn't have enough ammo to kill myself.

        You choose to use what is bad now because later the alternative may
        just be equally as bad, if you are lucky.

        And you continue to give bad advice and push your point in the face of
        the reality which is true even by your own statistics.
        • Market Share Again

          Market Share needs to be carefully defined. It is true that Microsoft has a majority of the desktop market, whatever that may mean. This does not mean, and is not true, that Microsoft has anything like a majority elsewhere.

          Microsoft leveraging off its market share gets its acolytes and drones to spout the market share means more attacks and hence more successful attacks mantras. But repetition, however vehement does not make something true, or even plausible. Good journalists know that, and IT professionals that have worked in more than one operating system environment know that.

          Here are some counter examples.

          1.Microsoft IIS is not anything like the majority of the web server market. Here are three prominent sites that have failed recently, MySchool, CFA and Myki. All run IIS. Name three apache2 based server sites of the same criticality that have failed or been compromised.

          2.Microsoft server variants are not anything like the majority of severs out there, especially if one removes stray false instances, or calculates on the basis of population served rather than number of servers. They do, however constitute the majority of the compromises, see CERT.

          We do not pull punches naming Toyota for making faulty cars, why do we pull back on Microsoft for making flawed operating systems?
      • What is WinTard afraid of?

        Why Wintard do you feel the need to stop anyone from using linux, or
        OS X as you keep blogging the same argument about market share in
        response to the virus issue to both?

        If you are right then it will be a great day for you and all the other
        Windows users when the virus writers move more of their efforts to OS
        X and Linux, thereby reducing the attacks on WIndows.

        So are you afraid that your platform will get less attacks by malware?

        Or is it the market share change that is worrying you?

        Are you for some reason going to be personally harmed by more Linux
        and OS X machines out there?

        Which is more of a worry for you - less malware coming your way, or
        less Windows users?

        One of these is playing on your mind!!! Or your bank account!!!
        • Good question

          [i]Why Wintard do you feel the need to stop anyone from using linux, or
          OS X as you keep blogging the same argument about market share in
          response to the virus issue to both?[/i]

          I've been asking that on zdnet for awhile now and nobody from the Wintel side can come up with any plausible answers.

          With Apple & Linux marketshare only at 9% and 1% respectively (based on the figures they like to spew around), one wonders what they feel so threatened about to begin with...
          • they fear what they do not understand

            Imagine a scenario, wintard connects an old HDD laying around to his PC. It is detected in windows and all is well in the device manager. Disk manager, however does not recognize the partition and says it must be formatted. No problem just click OK to continue, all is well about 10 or 15 mins later.

            End of the day, big boss shows up and says "were you able to recover the data on that drive I gave you? We fired one of the network engineers and all his work was on that drive. Oh I forgot to mention his windows looked really different it only showed a penguin when we booted it up, a bunch of text scrolled by and some strange login window was present"

            Wintard says "be done within the hour" and proceeds to update his resume...

          • LOL.. Good one - - - Or the story about...

            ...the wintard who came on a Linux forum, mad as hell because he couldn't get his Windoze-based Norton anti-virus to work on it.

            If he wasn't such a dick about it, somebody would've told him...

  • This story brought to you by: Microsoft Windows - Insecure by Design

    • to be fair, insecure by default

      ...and I am sure there will be tons of threads stating how vista and W7 resolve that problem blah blah blah...

      What is shocking is, that corporate IT will allow SP2 to actually run on their networks. I mean the users alone have an excuse to be clueless... But when the staff allows it that is pitiful.

      Another shocker, is that vista - with all its "improved security", is on the list... Which does go to show, that the problem can be traced to PEBCAK or id-10-t errors. A secure OS is only as secure as the user's habits.