New Zeus Botnet - Kneber

February 18, 2010

SonicWALL UTM Research team observed reports of the Kneber Botnet today morning that compromised over 75,000 systems including government agencies worldwide. This is not a new Botnet but a standard Zeus Botnet that we have covered in detail in one of our SonicAlert last year - Zeus Trojan Family.

New variants of Zeus Botnet appear constantly in the wild. The name Kneber comes from the user name associated with one of its controller domain

A look-up of this domain from yields the following information where the registrant email address bears its last name 'Kneber', thus the name of this Botnet.

    Domain Name:
    ROID: 20091210s10001s86100640-cn
    Domain Status: ok
    Registrant Organization: Hilary
    Registrant Name: Hilary
    Administrative Email:

    Registration Date: 2009-12-10 21:10
    Expiration Date: 2010-12-10 21:10

This new variant has the following characteristics generic to Zeus Botnet:

    File Creation:
    [System Folder]sdra64.exe
    [System Folder]lowsec
    [System Folder]lowseclocal.ds
    [System Folder]lowsecuser.ds

    Note: [System Folder] is the default windows installation folder. Typically its C:Winntsystem32 for Windows 2000 and NT and C:WindowsSystem32 for XP, Vista, and Windows 7.

    Registry Modification:
    This botnet modifies this registry entry to ensure its automatic execution on every Windows startup.

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: "Userinit"
    Original Data: "C:\WINDOWS\system32\userinit.exe,"
    Modified Data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\sdra64.exe,"

    Process Termination
    This Botnet tries to terminate firewall application to allow itself to run without interruption.

    • Outpost Firewall
    • Zone Alarm Firewall

SonicWALL Gateway AntiVirus provides protection against this Botnet via following GAV signatures:

  • GAV: Zbot.HNO (Trojan)
  • GAV: ZBot.gen (Trojan)
  • GAV: Zbot.AEZ (Trojan)
  • GAV: Zbot.ABC (Trojan)
  • GAV: Zbot.CMS (Trojan)
  • GAV: Zbot.RL (Trojan)
  • GAV: Zbot.IXC (Trojan)
  • GAV: Zbot.CFA (Trojan)
  • GAV: Zbot.gen.C (Trojan)
  • GAV: Zbot.ADFY_2 (Trojan)
  • GAV: Zbot.CA (Trojan)