“Kneber” = Zeus
Recently, Symantec observed some high-profile coverage of a threat being reported as a new type of computer virus known as “Kneber.” In reality Kneber is simply a pseudonym for the Zeus Trojan/botnet. The name Kneber refers to a particular group, or herd, of zombie computers (a.k.a. bots) being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot that also goes by the name Zeus, which has been observed, analyzed, and protected against for some time now.
Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strains, such as Kneber, of the overall Zeus botnet. Though it is true that this Kneber strain of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, Symantec customers with up-to-date security software should already be protected from this threat.
Symantec detects the Zeus Trojan, otherwise known as Trojan.Zbot, as the following:
• HTTP Trojan Zbot Domain (IPS)
• HTTP Zbot Malicious File Download (IPS)
Check out the blog post Zeus, King of the Underground Crimeware Toolkits on Symantec’s Security Response blog to get a better feel for how an attacker can use the Zeus toolkit to create their very own string of the overall botnet. Also, Symantec has an extensive analysis of the Zeus botnet in the previously published whitepaper entitled Zeus: King of the Bots.
Symantec has also observed cybercriminals seeking to exploit computer users’ fears—spurred by all of the coverage that this threat is receiving—by poisoning search engine results for keywords such as “Kneber Botnet Removal.” In fact, when analyzed by Symantec, the highest ranked result on Google using these search terms led to a site hosting rogue antivirus software. Here’s a screenshot of the scareware in action: