The Kneber Botnet

The term Botnet is used to refer to a collection of software robots or bots which are automated applications that infect multiple, possibly geographically disbursed, computers. These infected computers can then be controlled remotely via a central Control and Command Center (C&C) which the Botnet herder sets up. Botnets are used in underground criminal activities to steal credit card information, perform Distributed Denial of Service attacks, creation or misuse of SMTP mail relays for spam, click fraud, spamdexing and the theft of application serial numbers and login IDs of personal banking accounts and online mail accounts.

While the term “botnet” can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called zombie computers) running software, usually installed via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure. This setup is remotely controlled by a Bot herder, also called as Bot master using a C&C via IRC channels or through Web Servers. When a botnet has become sufficiently large, criminals may try to acquire them for undisclosed but large sums of money to gain access to all the data and resulting information from the infected machines and subsequently from the networks associated with them.

The Kneber botnet, discovered by NetWitness, a company that deals with network monitoring and threat analysis solutions, is a new variant of the already massive ZeuS botnet, which has reportedly compromised 75000 machines in 2500 business worldwide. The Kneber botnet is based on the older 1.2 version of ZeuS which is given away for free. ZeuS, also known as Zbot, is readily available to buy in underground forums for as little as 700 USD. The package contains a builder that can generate a bot executable and Web server files (PHP, images, SQL templates) for use as the command and control server. While ZeuS is a generic back door that allows full control by an unauthorized remote user, the primary function of ZeuS is financial gain stealing online credentials such as FTP, email, online banking, and other online passwords via keystroke logging. Zeus’ current botnet is estimated to include millions of compromised computers (around 3.6 million in the United States alone). Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek.

The Kneber botnet is a relatively small botnet considering the number of compromised computers, although the number of organization and business infected is quite high. The Kneber botnet uses rootkit technologies, undocumented Windows API and other stealth techniques to hide its presence on the infected machine. The Kneber botnet infects only Windows computers and has been known to infect Windows XP Professional SP 2 machines more than any other flavors. The explanation for this could be attributed to the nature in which machines are infected. Computers at the work place can be infected via accesses to sites that cause drive by downloads, URLs of which may be received via spam mails. Also vulnerabilities in the browser (IE 6 and IE 7) and security issues in the OS itself may trigger an infection. No reports of Windows 7 computers being infected have been seen yet possibly due to the use of IE 8 and patching of critical vulnerabilities found in older versions of Windows.

Symptoms of infection may include unexplained bandwidth usage, unknown processes being created, unexplained usage of CPU and memory resources and frequent stalling of applications. The ZeuS botnet is very difficult to detect even with up-to-date antivirus software. Ironically, there are other botnets that have installers made for ZeuS, like the Trojan SpyEye, so that when it affects a computer already infected with ZeuS, it can kick out Zeus and claim the machine for itself. Of course, the computer is still a bot, just with a different Control and Command Center and Bot Herder. The Kneber botnet on the other hand is easily detected and cleaned by most antivirus programs due to its usage of the older version of ZeuS. Egress filtering on traffic at the network perimeter between internal private networks and the Internet may help detect early infection and coupled with active intrusion detection systems may protect organizations and businesses alike. Using virtual keyboards, found on the login pages of most banking applications, or the Microsoft On-Screen Keyboard (osk.exe), when entering sensitive data on even trusted sites, will help protect user identities, financial information and data confidentiality. Common utilities like TCPView, Process Monitor and Process Explorer from Sysinternals (Microsoft) will help identify Network, CPU and Memory congestion factors. It is advisable that businesses continue to train its employees to prevent them from clicking links in emails or on the web, opening malicious attachments while also keeping up with antivirus and operating system updates. Securing the operating system goes in preventing several unrelated issues as well.