New Zeus Botnet - Kneber

February 18, 2010

SonicWALL UTM Research team observed reports of the Kneber Botnet today morning that compromised over 75,000 systems including government agencies worldwide. This is not a new Botnet but a standard Zeus Botnet that we have covered in detail in one of our SonicAlert last year - Zeus Trojan Family.

New variants of Zeus Botnet appear constantly in the wild. The name Kneber comes from the user name associated with one of its controller domain silence7.cn.

A look-up of this domain from http://whois.domaintools.com yields the following information where the registrant email address bears its last name 'Kneber', thus the name of this Botnet.

hilarykneber@yahoo.com

Name Server:free01.editdns.net
Name Server:free02.editdns.net
Registration Date: 2009-12-10 21:10
Expiration Date: 2010-12-10 21:10

This new variant has the following characteristics generic to Zeus Botnet:

File Creation:

Note: [System Folder] is the default windows installation folder. Typically its C:Winntsystem32 for Windows 2000 and NT and C:WindowsSystem32 for XP, Vista, and Windows 7.

Registry Modification:
This botnet modifies this registry entry to ensure its automatic execution on every Windows startup.

Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
Value: "Userinit"
Original Data: "C:\WINDOWS\system32\userinit.exe,"
Modified Data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\sdra64.exe,"

Process Termination

Outpost Firewall
Zone Alarm Firewall

SonicWALL Gateway AntiVirus provides protection against this Botnet via following GAV signatures:

GAV: Zbot.HNO (Trojan)
GAV: ZBot.gen (Trojan)
GAV: Zbot.AEZ (Trojan)
GAV: Zbot.ABC (Trojan)
GAV: Zbot.CMS (Trojan)
GAV: Zbot.RL (Trojan)
GAV: Zbot.IXC (Trojan)
GAV: Zbot.CFA (Trojan)
GAV: Zbot.gen.C (Trojan)
GAV: Zbot.ADFY_2 (Trojan)

GAV: Zbot.CA (Trojan)

screenshot