NEWS FROM THE LAB - Friday, February 19, 2010

Just what is this botnet called Kneber? Posted by Sean @ 15:14 GMT

There's a botnet dubbed Kneber receiving lots of media attention this week.

So, just what is Kneber? Many reports have called it *THE* ZeuS botnet.

But really… it's just *A* ZeuS based botnet, dubbed Kneber because of the name used to register many of its domains.

And so what is ZeuS? Well, ZeuS is a kind of do it yourself toolkit for building botnets. We call it Zbot. Our first samples of Zbot/ZeuS date back to October 2007.

Here are some Zbot posts from our blog:

  •  February 2008: Mikkeli Spam Links to ZBot Malware
  •  April 2008: Ms. Polinka Wants Your Bank Account
  •  November 2009: Poker in the ZBot

Here's a screenshot of a ZeuS packages for sale:

ZeuS for sale

And here's a link to a video of a ZeuS botnet in action.

ZeuS is definitely a threat, but isn't a new threat.

Brian Krebs sums it up very nicely:

"Sadly, this botnet documented by NetWitness is neither unusual nor new. For the past several years at any given time, the number of distinct ZeuS botnets has hovered in the hundreds. At the moment, there nearly 700 command-and-control centers online for ZeuS botnets all over the world, according to ZeuStracker, a Web site that keeps tabs on the global threat from ZeuS."

Updated to add: The video has been removed from YouTube.