Endpoint Protection

Does anyone know if SEP protects us from the Kneber botnet?  We are looking at articles online like this http://www.msnbc.msn.com/id/35456838/ns/technology_and_science-security/from/ET
yesterday Websense picked up quite a few hits on Botnets which were blocked so it see these caused us a little cause for alarm.

 Looks interesting. Would like to hear about this from Symantec


"Conventional malware protection and signature-based intrusion detection systems are, by definition, inadequate for addressing Kneber or most other advanced threat"
http://blog.taragana.com/index.php/archive/kneber-botnet-virus-attack-compromises-75000-computers/

Yeah, like the fake AV apps, these things get invited in and often are not caught by "signatures".
(another reason I'd like to see Symantec move MORE to heuristics)

I suspect that since these are old new items, Symantec covers for these already. This is stuff dating back months if not years and has finally gotten the attention of a new editor who was having a slow news day........
Check the dates on these and how long these have been going on. The crook was caught, but the threats have been out there a long time.
Only the catching of the bad guys is new news, IMO.

I would be interested in hearing from Symantec as well.

Most of the articles I am finding are dated today and say it was discoverd in January.  I did see one though that says what Shadowspapa said that it has been around for over a year.   Hoping to get a comment from Symantec on this one.   I am concerned since my webfilter saw a spike in sites in the botnet category yesterday and today.  We are blocking the sites but still it does cause a concern. The bulk of the blocks are all on the same IP address and doing some research looks like it is a company that does targeted marketing.

It's my understanding from a tech article I read that the bots used have been around and on computers for some time - OVER a year, just the extent and operation were recently discovered.

These don't go out overnight and get organized in a week or two. Not as huge as this was, it took some time to get that many computers setup and communicating to their 20 servers.
The bots or software need to be installed over time, and the thing organized and how many companies hit? This has been going on for a while.............
It was begun in late 2008 and DISCOVERED last month according to my info.
And as always, the news media is reporting it NOW, even though it started in 2008 and was discovered 3 weeks ago............
Where were they in January? Only the WSJ reported it back then when they discovered the intrusion.

(WAPO also has a decent article on it)

I will agree that it has been around for a while but since it was just discovered recently does Symantec detect it is the important question?  Would like to hear from symantec and find out if I need to be worried about this.  

 My question is:
What vector does this virus use?
If it's phishing, we'd be better off focusing also on corporate email behavior policy.
But yes, I am also concerned if SEP cannot detect it.

There has been some recent high profile coverage of an online threat being referred to as “Kneber.” Some news coverage Symantec has observed has put forth that this is a new type of malware, which is simply not the case.

Kneber, in reality, is not a new threat at all, but is simply a pseudonym for the infamous and well-known Zeus Trojan. The name Kneber simply refers to a particular group, or herd, of zombie computers, a.k.a. bots, being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot, which also goes by the name Zeus, which has been being observed, analyzed and protected against for some time now.<o p=""></o>

Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strings, such as Kneber, of the overall Zeus botnet.<o p=""></o>

Though it is true that this Kneber string of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, computer users with up-to -date security software should already be protected from this threat.

The following signatures are providing protection from Zeus:

• Trojan.Zbot <o p=""></o>
• Trojan.Zbot!gen <o p=""></o>
• Trojan.Zbot!gen1 <o p=""></o>
• Trojan.Zbot!gen2 <o p=""></o>
• Trojan.Zbot!gen3 <o p=""></o>
• Trojan.Zbot!gen4 <o p=""></o>
• Trojan.Zbot!gen5 <o p=""></o>
• HTTP Trojan Zbot Domain (IPS) <o p=""></o>
• HTTP Zbot Malicious File Download (IPS)<o p=""></o>

 

In depth information on Zeus is available here:  http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf

and here: 

http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

Kevin

<o p=""></o>

Why am I not surprised. Gotta love the media........
Good change most of those "infected" were not protected, or using freeware, or incorrectly configured, or used by folks who have no clue..... or managed by similar folks.............

"Good change most of those "infected" were not protected, or using freeware, or incorrectly configured, or used by folks who have no clue..... or managed by similar folks............."

or most, if not all, of the above.

Symantec also tweeted this officially on twitter aswell

"Kneber bot does not involve any new malicious threats and is nothing more than the Zeus bot http://bit.ly/dBVqOt "

http://twitter.com/symantec

Thanks everyone for all the information.   Was hoping Symantec just had a different name for it but with all the bot net alerts I got from the webfilter yesterday seeing the hype in the media did cause some warning flags to go up.