Kneber Update

February 19, 2010 6:05 pm tim Advanced Threats, Competitor Hype, Situational Awareness, cybercrime, trojan

There was a significant amount of coverage yesterday on research performed by NetWitness into a large set of stolen information recovered from a ZeuS botnet.  Some of the information, analysis, and commentary was very beneficial to the broader discussion of threats such as these.  There is, however, some information that we feel we should address.

  • Kneber is a pseudonym for ZeuS:

Kneber is not a pseudonym for ZeuS. Kneber refers to one group of organized criminals, one group of Command and Control Systems, and 74,000+ infected victim systems for this particular ZeuS (primarily) botnet.   ZeuS is a tool, used by many groups to create command and control systems, and steal information.  There are hundreds of active ZeuS botnets, many of which are larger than this one. It is but one of many tools used in this particular botnet.  We have seen INTENTIONAL cross pollination of various trojans, including waledec, grum, and even tools such as packet sniffers.  When we discuss threat, we are referring to more than the tool used, but the organization behind them.

  • Kneber is “nothing new”:

We have been very clear that this is a medium sized infestation when compared with all the tracked ZeuS botnets on the Internet.   What does make this very valuable is the opportunity to analyze such a large sample of stolen information, and quantitatively add to the discussion of threats to corporate security.  The number of infected and active systems behind some of the largest, most technology savvy companies needs to be considered, and our approach to security needs to change given the broad failure to identify or remediate these infestations.   In addition, trivializing the damage done is simply disingenuous by anyone who has seen the types of data stolen from threats such as these.

  • Current protections and solutions can detect this type of activity:

This quote from Symantec, via the Guardian, KrebsOnSecurity, and others:

“Kneber, in reality, is not a new threat at all, but is simply a pseudonym for the infamous and well-known Zeus Trojan,” said the company. “The name Kneber simply refers to a particular group, or herd, of zombie computers, a.k.a. bots, being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot, which also goes by the name Zeus, which has been being observed, analyzed and protected against for some time now.”

This quote is particularly troubling, as it seems to minimize the threat and is almost dismissive.   Moreover, when this particular variant was analyzed in late January (various services used), Symantec did NOT detect this as malicious.   To be fair, McAfee, Trend Micro, AVG, and most other mainstream anti-virus solutions also failed to recognize this as malicious.  In the past 3 weeks, Symantec has added signatures to detect this particular variant as a generic “Trojan Horse”.  However, if you were infected by this particular strain, your system has already processed an update that prevents you from contacting Symantec and others for updates.   In most cases, this will prevent future detection.   Worse, as part of normal operation of ZeuS, it attaches to running processes on victim systems in order to monitor them.   This data is logged along with other stolen information.   This set of data shows that ZeuS has actually attached to running versions of Symantec software on over a thousand victim systems.  Many other AV vendors are also present.

This example shows ZeuS monitoring a Symantec Live Update, and includes the ftp username and password used by the Symantec software during the update process.

  • Are the facts overstated?:

The facts are fairly succinct in the whitepaper that we released.   We do not believe the threat is over-stated, and we were very conservative on the analysis released.   There are likely thousands of additional corporate networks affected, and analysis of this much information takes time.   And this is simply one of many similar operations in existence.  The group behind this effort can be described as sophisticated, yet also shows signs of lax effort to hide their trails.   The botnet is very actively managed, and continues in operation today.   The fact that they have been in successful operation for over 18 months also has to be considered.   We have also received several additional data points from federal contacts with additional insight into related government focused attacks.

More to come.

Tim Belcher and Alex Cox

8 Responses

  1. John Says:
    February 19th, 2010 at 9:18 pm

    So what can the average user do to fix/mitigate this botnet or any for that matter?

  2. Comwise Internetwork Sdn Bhd » Blog Archive » Why it is all too easy to become a cybercriminal Says:
    February 20th, 2010 at 3:13 pm

    [...] NetWitness’ media coup  sparked some sniping from rival tech security vendors McAfee and Symantec; each cast aspersions on NetWitness’ characterizations of the significance of its findings. NetWitness shot back with this point-by-point response. [...]

  3. tim Says:
    February 21st, 2010 at 3:18 pm

    This is not an easy question to answer. While Anti-Virus and Anti-Malware technologies are indeed important, it is simply too easy to repackage these exploits to bypass technologies that are primarily signature based. There is a network equivalent there in IDS/IPS technologies as well. It takes days, weeks, months for some of these protection technologies to get updated. You have to expect that compromise is inevitable, and put in place technologies that are capable of “filling the gaps” left by the others. At NW, we deliver visibility and understanding to all network activity, and detection of this particular type of activity is fairly commonplace. Of course the adversary is getting ever more advanced. You need the ability to look back over time once you DO know characteristics of the attack and assess the damage / develop a remediation plan. Without that network memory, you will have no insight into the amount or type of data stolen. There is no magic pill. There is no “secure.”

  4. Yaggi Says:
    February 22nd, 2010 at 1:50 am

    Hi

    Currently, we see many machines infected Zeus (74.118.192.124 via tcp 5900), we are advised to use McAfee Rootkit Detector.

    We are using Symantec so we just make sure that our definitions is updated and run a full scan (safe mode) http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99 or we really need to use this mcafee rootkit detective?

    BY the way, about infection, is it exploiting something in a unpatch vulnerabilities in the IE browser?
    I wanted to know if this issue similar to conficker that as long as we patch MS08-067 the machine is conficker free?

    Or this malware can infect users even if they have no vulnerability at all as long as the user will click malicious something on the net?
    how can a certain malware infect a fully patch machine (assuming no more 0-day vulnerability issue), can it still infect or exploit?

    Thanks

  5. EJ Says:
    February 22nd, 2010 at 5:07 pm

    One item of interest to me in this but I haven’t seen commented on is whether the victims that were detected in this 74K node botnet have been notified of their participation?

  6. tim Says:
    February 23rd, 2010 at 10:33 am

    In order:

    The McAfee Rootkit Detector, when we tested it the other day, did not detect this “variant.” We say variant, because these adversaries can take the executable and repackage it with various tools that make it undetectable to many signature based solutions. Since the posting of this, we have various additional repackaged versions that remain undetected.

    All AV vendors have similar challenges detecting these repackaged versions. If your signatures are up to date, you will likely detect the original variant. However, there are more that have been released that are difficult to detect. AV plays an important role here – but cannot be relied upon exclusively.

    The IE vulnerability can be used to deliver malware. This particular group has access to a very large spamming bot, and is using custom crafted emails that can be very convincing.

    See last response on patching. If they successfully convince you to open an trojan document, or use a zero day, or to voluntarily install, you will be infected. Patching, like AV, is part of the solution and makes you more resistant, but does not make anyone immune.

  7. tim Says:
    February 23rd, 2010 at 10:35 am

    Where possible, and within reason, we have notified responsible network owners of the IP addresses that are infected. In many articles, it mentioned we are working to notify parties. We continue to work with others including service providers, banks, and social networking sites.

  8. Zeus Botnet: Interesting and In-depth Articles « Mister Reiner Says:
    June 5th, 2010 at 10:38 am

    [...] NetWitness Blog: Kneber Update (Web page – An attempt to set the record straight) [...]

Leave a Comment

Your comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.