Kneber, a botnet’s story

Date : March 10, 2010

Assessing the threat

On last 18th of February, during our daily review of computer security news, our attention was drawn by the publication of a study from the NetWitness Company. This report was talking about the infection of about 75.000 computers by a new botnet named Kneber (a botnet is a network of compromised computers aka zombies). Because of this large figure the information gained an important media coverage and , in particular- the general-interest press were tending to make too much of this information. If the report itself actually gives the information in a fairly dramatic manner, the comparison of this story with past events such as the infection of millions of computers by the Conficker botnet makes us think that Kneber is “unfortunately” not the threat of the century.

We can rather easily explain the lot of media coverage of this story by the following points:

  • The NetWitness reports puts the emphasis on the numbers: 75.000 computers have been compromised, and 2411 media and large companies in the world have been impacted. However it is difficult, even after a careful reading of the study, to know exactly on which period these infections occurred.
  • The use of a new name to describe the threat. Actually, you have to carefully read the study to learn that “Kneber” is nothing more than a new name for the “ZeuS” or “ZBot” Trojans. The day when the study was released, many newspapers did not mention that “Kneber” was just another name for the “ZeuS” Trojan.
  • The mention of several famous names in the list of the large companies that were affected (e.g. the pharmaceutical giants Merck & Co and Cardinal Health). Moreover, the mention in the first page that several government networks were hit by the botnet obviously increases the fantastic side of the story.
  • Finally, the study from NetWitness is released at a time where the current events regarding computer security and the world threat level are already in the focus of all the Media. In fact, we are thinking in particular of the so-called “Operation Aurora”, a computer attack that would have hit Google and several other large firms in the energy, banking, financial, media and high-tech sectors during last weeks.

As a consequence, it is necessary to be very careful when dealing with such kind of information, which should neither be ignored nor exaggerated. Observing the reaction of the antivirus vendors may sometimes be a source of clarification. For example, in its blog, Symantec published a post entitled ““Kneber” = ZeuS”, a short article that reminds user that the discovery is nothing new. In fact, the Trojans from the ZBot family have been known at least since July 2008 (see this virus description page) but similar malwares have existed for years before. The fact that several antivirus vendors downplay the threat, while their business is to sell solution to protect users against such kinds of threats, is in this case a good indication that the information was really subject to a media boom. Moreover, some additional researches on the Internet allowed us to find that other botnets, at least as large as “Kneber”, were already identified in the past.

But the NetWitness report still remains very instructive, particularly regarding the types of stolen data and the techniques used by the malwares to persist on the infected system as long as possible.

 

The discovery

At the end of last January, during a routine network security audit, the NetWitness company discovered about 75 gigabytes of apparently stolen data. The analysis of the format of these data quickly led them to the conclusion that these data were consisting in harvested data from the ZeuS Trojan. The activity of the botnet could be established thanks to the commercial tools developed by NetWitness and these latter are advertised in the discovery report. The discovery was in particular possible because the NetWitness tools are able to detect the download of obfuscated and encrypted malicious files within the perimeter of a corporate network. In addition, NetWitness highlights the fact that, once again, the detection rate of these malicious files by antivirus product was very low (about 10% of the tested solutions were able to properly detect these files).

“Kneber”, which is the name given by NetWitness to this botnet actually comes from the e-mail address used to register the first domains involved in the infection campaign (HilaryKneber@yahoo.com). A simple Google search on this address shows that it has been used multiple times in 2009 to register “.cn” domains, but also to register the domain “24-hour-express-service.com” which is a mule recruitment company. Mule recruitment is a usual tactic for miscreants to monetize online fraud where unsuspecting employees do deposits, withdrawals, and wires to offshore accounts. See this article from the Cert-IST for more information on mule recruitment. In the present case, mules are recruited to wire the money stolen thanks to the network of zombie computers.

In a word, “Kneber” is a botnet that gathered computers which were infected thanks to the “ZeuS” bot. This means that “ZeuS” was the tool used by the hacker to set up its own botnet.

 

What is “ZeuS” able to do?

The Zeus crimeware toolkit has been around for some time, and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote infected systems. It is in particular famous for its ease of use, and Symantec even reports that it has become available for free on some underground forums. With this information in mind, one may easily understand why a botnet such as “Kneber” is not something unique.

“ZeuS” was specifically designed to steal sensitive information on the infected systems. Unlike a traditional keylogger Trojan, which records every keystroke, “ZeuS” can specifically target information desired by the criminal miscreant. It does this through a number of means, but it is used primarily to do the following:

  • Capture data typed into web forms that are used for authentication to sensitive systems.
  • Inject specific additional input fields on the web forms that are displayed to the user in order to steal more information.
  • Parse out relevant portions of web URLs that may contain login credentials or session IDs.
  • Capture cookie information, which is often used to store credentials and session information for websites.
  • Access and copy credential information stored in a web browser’s "protected store". Those "protected stores" are the places where Microsoft Internet Explorer or Mozilla Firefox used to remember the login/password information that have to be entered on a given website. This is an optional feature supported by many web browsers.
  • ...

In addition to these targeted information stealing techniques, the malicious code installed on the infected computers is able to:

  • Search and capture arbitrary files on the computer,
  • Allow full remote control capability on the victim host using the VNC protocol,
  • Download and run additional malicious programs,
  • Remotely destroy the infected computer by deleting key components of the operating system.

 

Infection and spreading mechanisms

“ZeuS” uses rather common attack vectors in order to infect new computers:

  • All kinds of social engineering techniques (e.g. spam e-mails which goal is to entice the user into executing an attached file or to click on a malicious link). During all the month of October 2009, we were able to observe such a spam campaign: e.g. the messages received by the user were saying that the configuration of the mail server of the company had changed and that the user had to update his mailbox settings by clicking on a link embedded in the mail body. The mails were particularly well written and were especially tailor-made in order to make the domain name of the company appear in the URL of the malicious link.
  • Exploitation of vulnerabilities in the web browser: the victim’s computer is automatically infected when inadvertently browsing to a compromised website that tries to spread an exploit code (these automatic infections are often called “drive-by” download attacks).

Once “ZeuS” is executed by an insufficiently suspicious user, it installs itself on the system and gets ready to receive commands from the “Command & Control” server (C&C) through the HTTP protocol.

It performs as well the following actions:

  • The ZeuS bot downloads a configuration file from the command and control server, which directs the bot to capture desired data.
  • Periodically the bot uploads in a "drop zone" the information it captured . The location of this “drop zone” is retrieved by the bot from the previously mentioned configuration file.
  • Checks for updates at scheduled intervals. These updates could apply to both the bot binaries and configuration files. This allows the botnet owner to change the configuration of the botnet at will.

The "ZeuS" Trojan also uses common malware techniques in order to maximize the amount of time it persists on a system. These techniques include:

  • Adding various keys in the Windows registry in order to survive system reboots (the bot will be run each time Windows restarts).
  • Using rootkit technology to hide the malware files and captured data.
  • Injecting into running processes to mask traffic and bypass host firewalls.

 

A possible connection with the “Waledac” botnet?

One of the most interesting observations reported in the study from NetWitness is that more than 50% of the computers involved in the “Kneber” botnet were also infected with other malwares, and in particular with “Waledac” bots. “Waledac” is a peer-to-peer spamming botnet that is often used as a delivery mechanism for additional malwares. This discovery raises the possibility that Kneber actually implemented two distinct communication mechanisms : peer-to-peer via Waledac bots and regular C&C via “ZeuS” bots. While it is not uncommon for compromised hosts to have multiple strains of malware, the significant amount of "Waledac" network traffic seen in the data captured by NetWitness suggests that the coexistence of both "ZeuS” and "Waledac" malwares on the infected computers should not be accidental.  And for sure, these two separate communication channels can provide fault tolerance and recoverability to the botnet and better resistance to face with take-down attempts by law enforcement teams. For instance, if one of the C&C structure is stopped, the other channel could simply send a new configuration file to all the bots to notify them that the IP addresses of the C&C server have changed. 

 

Is any specific target?

Attributing this activity to a single individual or group of individuals is exceptionally difficult to do without a global and world-wide cooperation, and NetWitness doesn't venture to identify such a group. An important part of the bots involved in the “Kneber” business were computers located in China, but it is nearly all we can know for certain.

It is also very difficult to determine if particular countries or companies were targeted by the botnet. In fact, the bot distribution is rather global: 2411 companies and organizations from all activity sectors in 196 different countries were affected.

However, a recent spam campaign distributing “ZeuS” in the U.S. was found to specifically target government (.gov) and military (.mil) entities, which well shows that the trend is to observer more and more targeted attacks (the mails were appearing to come from the NSA and they were talking about precise and ongoing American government projects).

Finally, the NetWitness study is very interesting when it comes to identify the kinds of stolen data. Curiously, while the “ZeuS” Trojan is well-known to be specifically designed as a banking information stealing malware, NetWitness noticed that this information did not consist in the majority of the stolen data. Most of the data that were found were actually social networks and mail sites credentials. This bot shows that the developers of the "ZeuS" system make their code evolve and have a deep understanding of the manner in which people use Internet. Social networks are among the most popular and often visited websites on the Internet. As a consequence, even if stealing banking information may quickly generate financial gains for the miscreants, targeting and stealing logon credentials to social networks and email gives them the ability to carry out a large set of additional attacks. This personal information is pivotal for stealing identities and crafting very well targeted and convincing criminal, and why not, espionage campaigns:

  • On one hand, the social networks give the attacker the ability to send messages to the friends of the victim. These friends will of course trust the compromised account and would be more likely to click on phishing and other exploit messages sent from that account.
  • On the other hand, compromising mail accounts gives the attackers the ability to send Phishing e-mails, to reset the password of other accounts belonging to the victim (the verification that are performed for these kind of procedures are often done by sending confirmation e-mails), or to compromise other potentially sensitive accounts (the credentials used to log-in on corporate networks or on sensitive websites are unfortunately often the same as the ones used to log-in on personal-related accounts). 

 

For more information:

 

 

Previous Previous Next Next Print Print