Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

“Kneber” = Zeus

Created: 18 Feb 2010 20:57:54 GMT • Updated: 23 Jan 2014 18:29:29 GMT
khaley's picture
+2 2 Votes
Login to vote

Recently, Symantec observed some high-profile coverage of a threat being reported as a new type of computer virus known as “Kneber.” In reality Kneber is simply a pseudonym for the Zeus Trojan/botnet. The name Kneber refers to a particular group, or herd, of zombie computers (a.k.a. bots) being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot that also goes by the name Zeus, which has been observed, analyzed, and protected against for some time now.
 
Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strains, such as Kneber, of the overall Zeus botnet. Though it is true that this Kneber strain of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, Symantec customers with up-to-date security software should already be protected from this threat.
 
Symantec detects the Zeus Trojan, otherwise known as Trojan.Zbot, as the following:
 
•    Trojan.Zbot
•    Trojan.Zbot!gen
•    Trojan.Zbot!gen1
•    Trojan.Zbot!gen2
•    Trojan.Zbot!gen3
•    Trojan.Zbot!gen4
•    Trojan.Zbot!gen5
•    HTTP Trojan Zbot Domain (IPS)
•    HTTP Zbot Malicious File Download (IPS)

Check out the blog post Zeus, King of the Underground Crimeware Toolkits on Symantec’s Security Response blog to get a better feel for how an attacker can use the Zeus toolkit to create their very own string of the overall botnet. Also, Symantec has an extensive analysis of the Zeus botnet in the previously published whitepaper entitled Zeus: King of the Bots.

Symantec has also observed cybercriminals seeking to exploit computer users’ fears—spurred by all of the coverage that this threat is receiving—by poisoning search engine results for keywords such as “Kneber Botnet Removal.” In fact, when analyzed by Symantec, the highest ranked result on Google using these search terms led to a site hosting rogue antivirus software. Here’s a screenshot of the scareware in action:

fakeav_sml.JPG