The Kneber botnet - FAQ

A recently uncovered network of compromised hosts dubbed, the "Kneber botnet", managed to successfully infect 75,000 hosts within over 2,500 organizations internationally.
Written by Dancho Danchev, Contributor

A recently uncovered network of compromised hosts dubbed, the "Kneber botnet", managed to successfully infect 75,000 hosts within over 2,500 organizations internationally, including Fortune 500 companies as well as Local, State and U.S Federal Government agencies.

How did the botnet managed to stay beneath the radar? Who's behind it? Is it an isolated underground project, or a part of the malicious portfolio of a cybercrime organization diversifying on multiple fronts within the underground marketplace?

Go through the FAQ.

01. Why the name Kneber botnet?

The name Kneber comes from the email used to register the initial domain, used in the campaign - HilaryKneber@yahoo.com. What's particularly interesting about this email, is the fact that it was also profiled in December, 2009's "Celebrity-Themed Scareware Campaign Abusing DocStoc" analysis, linking it to money-mule recruitment campaigns back then.

02. My time is precious. In short, what is the Kneber botnet at the bottom line?

It's a mini Zeus crimeware botnet, one of the most prevalent malicious software that successfully undermining two-factor authentication on the infected hosts (Report: 48% of 22 million scanned computers infected with malware), and is slipping through signatures-based antivirus detection (Modern banker malware undermines two-factor authentication) due to the systematically updated binaries.

03. Who's behind it?

It's a cybercrime syndicate involved in everything from blackhat search engine optimization (blackhat SEO), to client-side exploit serving campaigns, and money mule recruitment campaigns.

04. What were the botnet masters able to steal from the infected hosts?

Surprisingly, in the sense that the Zeus crimeware is exclusively used to steal financial data, and hijack E-banking transactions on-the-fly, in the case of the Kneber botnet, researchers from NetWitness found just 1972 digital certificates, and over 68,000 stolen credentials over a period of 4 days.

05. Is this botnet part of a sophisticated cybercrime enterprise vertically integrating by engaging in multiple fraudulent activities, or is it an isolated underground project?

The Kneber botnet is anything but an isolated project, with the individual/group of individuals managing it already connected to numerous malicious campaigns analyzed over the last couple of months.  Here are some interesting facts about their activities:

06. What's so special about it?

It's the fact that despite the crimeware's advanced E-banking sessions hijacking, the primary objective of their campaign -- at least based on the sample analyzed by NetWitness researchers -- was to steal social networking credentials.

Moreover, the Kneber botnet is a good example of an ongoing trend aiming to build and maintain beneath the radar botnets (Research: Small DIY botnets prevalent in enterprise networks; Inside the botnets that never make the news - A Gallery; Aggregate-and-forget botnets for DDoS extortion attacks)

And while NetWitness is logically not offering insight into which companies were most affected, but the usual vertical market data, based on 74,000 infected PCs at nearly 2,500 organization, we can assume a proportional scenario with 29.6 infected hosts per company, representing your typical small DIY botnet.

07. What's the OS breakdown of the infected hosts?

The top five affected operating system versions based on the data presented by NetWitness are: XP Professional SP 2, followed by XP Professional SP 3, XP Home Edition SP 3, XP Home Edition SP2 and Vista Home Edition SP 2.

When discussing botnets in general, it's important to keep in mind that botnets aggregated by using the Zeus crimeware, are not the same type of botnets like Conficker, Pushdo or Koobface which rely exclusively on "proprietary malware code". In compassion, due to the fact that Zeus is a DIY (do-it-yourself) type of crimeware, it allows potential cybercriminals to literally generate crimeware variants on their own.

Editorial standards