Evil Kneber Botnet Packs Mighty Malware Punch
The Kneber network is relatively small for a botnet -- about 75,000 infected computers in all. However, Kneber's mission makes it especially dangerous. It's going after prime cybercrook loot: corporate login credentials, email access, banking sites, social network sign-ons and dossier-level data sets on individuals.
02/18/10 11:47 AM PT
As botnets go, the Kneber botnet, which has hit about 75,000 PCs in roughly 2,500 companies worldwide, is fairly minuscule.
However, it's disproportionately dangerous because it's aimed at very specific targets -- corporations and government departments -- whose PCs store critically important information, such as Social Security numbers and corporate login credentials.
The botnet used the ZeuS Trojan, a highly sophisticated piece of malware. It's also infected about half its victims with a second Trojan, Waledac.
ZeuS is widely used by cybercriminals, and kits for creating various versions of the Trojan are widely available on the Internet, according to security research firm McAfee.
Network forensics firm NetWitness first discovered the botnet in January during a routine deployment of its network monitoring systems, the company said.
The results of a probe were stunning. Deeper investigation revealed an extensive compromise of commercial and government systems, including 68,000 corporate login credentials, access to email systems, online banking sites, email and social networking credentials, thousands of SSL certificate files, and dossier-level data sets on individuals, including complete dumps of entire identities from victim machines, NetWitness said.
Kneber did not always act alone. More than half the approximately 75,000 PCs worldwide infected with Kneber were also tagged by the Waledac peer-to-peer botnet, NetWitness said. This double-teaming improves the resilience and survival capabilities of the botnets. It may also point to deeper collaboration among cybercriminal gangs.
"We believe botnet controllers are combining the stability and feature set of ZeuS with the abilities of Waledac so these Trojans can complement each others' abilities to exfiltrate sensitive data and stay persistent on compromised machines," Chris Silva, chief architect and vice president of products at eEye Digital Security, told TechNewsWorld.
This is not the first time cybercriminals have cobbled together two or more Trojans in an attack. "We've seen other instances where this is happening," Toralv Dirro, a security strategist at McAfee Labs, told TechNewsWorld. "We've seen Conficker combined with Waledac."
Sometimes, several different Trojans have all been installed on victims' PCs, Dirro said. This either happens because additional malware is downloaded through the original Trojan, or because the victims' email addresses were on a distribution list used by cybercrooks and different cybercriminal rings were using the same list, he explained.
NetWitness is working with law enforcement agencies to combat Kneber.
Size Does Not Matter
Kneber is relatively small, as botnets go. "On average, we're seeing something like 4 million new zombies (botnet-infected computers) each and every month," McAfee's Dirro said. "So 75,000 machines is not really a big deal."
It's the sharply targeted attacks that make Kneber dangerous despite its relatively small size. "I don't know that Kneber's more dangerous than any other botnet, but the people behind it are more dangerous because of the companies and organizations they're targeting," Randy Abrams, director of technical education at ESET, told TechNewsWorld.
Staying Out of Trouble
Companies need to educate their staff so they don't click on links in emails untrusted sources or engage in other activities that get their accounts compromised, ESET's Abrams said. "We're going to see a lot more of this kind of targeted attacks, so it's critical for employers to give their staff an antiphishing education."
Corporations can also get software that looks for suspicious activities such as logins from inappropriate sites, then combines that information with changes in the infrastructure, Dwayne Melancon, a vice president at Tripwire, told TechNewsWorld.
"That helps you find out if, when people get into your system, what they did -- open up a port, start a Telnet session, or add a bot," he explained.
This reduces the time between when an attack is launched and when it is discovered, which can be over a year in some cases, Melancon pointed out.