Botnet revelation shows darker underbelly of malware

Kneber was built using a well-established toolkit for aggregating botnets called ZeuS that has been around for years

Information gathered about a newly discovered botnet called Kneber indicates that multiple infections by different malware on the same host could work together as a sophisticated mechanism to give all the malware a better survival rate.

The sheer size of the Kneber botnet -- 74,000 compromised computers in 2,400 different companies -- attracted most of the attention when Kneber was revealed Thursday. But how it interacts with other malware networks suggests a symbiotic relationship that ultimately makes each botnet more resistant to being dismantled, says Alex Cox, the senior consultant in the research department at NetWitness who discovered Kneber.

Kneber was built using a well-established toolkit for aggregating botnets called ZeuS that has been around for years. Kneber is an example of just one botnet built with the toolkit, but because Cox captured 75GB of log data from the command-and-control server, he was able to examine detailed characteristics of the computers ZeuS took over.

What he found is that more than half the 74,000 compromised computers -- bots -- within Kneber were also found infected with other malware that uses a different command-and-control structure. If one of the criminal networks were disabled, the other could be used to build it up again,

"At the very least, two separate botnet families with different [command-and-control] infrastructures can provide fault tolerance and recoverability in the event that one [command-and-control] mechanism is taken down by security efforts," he says in his written analysis of the Kneber botnet.

In this case, more than half the machines that made up the botnet were infected with both ZeuS, which steals user data, and Waledac, a spamming malware that uses peer-to-peer mechanisms to spread more infections, he says. He can't conclude for sure that they're working together in this case, but the presence of both introduces an interesting possibility: If the ZeuS command-and-control infrastructure is cut down, the owner of the ZeuS botnet could go to the person running the Waledac botnet and pay for it to push a ZeuS upgrade that brings the ZeuS bots back online reporting to a new server, he says.

Alternatively, a single group could run both the ZeuS and Waledac botnets and push the upgrade itself. "From a disaster-recovery perspective, it makes sense," Cox says.

The Kneber server log contained individuals' passwords to sites including Facebook and Yahoo as well as a slew of financial sites including CitiBank, Wells Fargo, PayPal, Citizens Bank and HSBC Bank, according to Cox's report on Kneber.

Cox discovered Kneber Jan. 26 while working at a NetWitness customer site. He found a machine infected with ZeuS that was downloading other malware executables. He traced the traffic back to a ZeuS command-and-control server in Germany, where he was able to grab a month's worth of the server's log data. He won't say he accomplished these actions.

The botnet got its name from, the registrant listed for the original domain used to pull together various components of the botnet. That same registrant has been associated with seeking other malware including PDF and Flash exploits as well as Trojan installs.

The same registrant is also listed on multiple Web sites seeking money mules -- people who accept illegal transfers of money into their bank accounts and forward them to other bank accounts in an effort to make the funds unrecoverable by the actual owners.

Kneber has been active since March 25, 2009, and most of the sites associated with its activities are in China, according to their underlying IP addresses, NetWitness says. About 17% of these sites are in the United States.

Cox also links Kneber to a phishing attack against U.S. government agencies that sends e-mails apparently from the National Security Agency that urges recipients to click on links that download the malware.

He gives significance to the fact that one of the things Kneber harvests is social networking usernames and passwords. These can be used to get into social networking accounts where they can post links to infected sites. Social network friends are more likely to trust these links because they seem to be posted by people they trust.

Social network accounts can also be mined for personal data that can be useful in further compromising individuals' financial accounts. For example, if social networking accounts yield mothers' maiden names, they might be used to reset passwords of bank accounts, giving attackers a way to get in and transfer money out.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags botnetssecurityKneber botnet

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?