Back to overview

Threat intelligence

New Zeus Botnet – Kneber (Feb 18, 2010)

by Security News

SonicWALL UTM Research team observed reports of the Kneber Botnet today morning that compromised over 75,000 systems including government agencies worldwide. This is not a new Botnet but a standard Zeus Botnet that we have covered in detail in one of our SonicAlert last year - Zeus Trojan Family.

New variants of Zeus Botnet appear constantly in the wild. The name Kneber comes from the user name associated with one of its controller domain silence7.cn.

A look-up of this domain from http://whois.domaintools.com yields the following information where the registrant email address bears its last name 'Kneber', thus the name of this Botnet.

    Domain Name: silence7.cn
    ROID: 20091210s10001s86100640-cn
    Domain Status: ok
    Registrant Organization: Hilary
    Registrant Name: Hilary
    Administrative Email: hilarykneber@yahoo.com

    Name Server:free01.editdns.net
    Name Server:free02.editdns.net
    Registration Date: 2009-12-10 21:10
    Expiration Date: 2010-12-10 21:10

This new variant has the following characteristics generic to Zeus Botnet:

    File Creation:
    sdra64.exe
    lowsec
    lowseclocal.ds
    lowsecuser.ds

    Note: is the default windows installation folder. Typically its C:Winntsystem32 for Windows 2000 and NT and C:WindowsSystem32 for XP, Vista, and Windows 7.

    Registry Modification:
    This botnet modifies this registry entry to ensure its automatic execution on every Windows startup.

    Key:
    Value: "Userinit"
    Original Data: "C:\WINDOWS\system32\userinit.exe,"
    Modified Data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\sdra64.exe,"

    Process Termination
    This Botnet tries to terminate firewall application to allow itself to run without interruption.

    • Outpost Firewall
    • Zone Alarm Firewall

SonicWALL Gateway AntiVirus provides protection against this Botnet via following GAV signatures:

  • GAV: Zbot.HNO (Trojan)
  • GAV: ZBot.gen (Trojan)
  • GAV: Zbot.AEZ (Trojan)
  • GAV: Zbot.ABC (Trojan)
  • GAV: Zbot.CMS (Trojan)
  • GAV: Zbot.RL (Trojan)
  • GAV: Zbot.IXC (Trojan)
  • GAV: Zbot.CFA (Trojan)
  • GAV: Zbot.gen.C (Trojan)
  • GAV: Zbot.ADFY_2 (Trojan)
  • GAV: Zbot.CA (Trojan)
    •

screenshot

screenshot

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.