TrendLabs examines Kneber's relationship to ZBOT and ZeuS.
2
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 58 MARCH 1, 2010 Kneber Takes the ZBOT/ZeuS Stage Much to the security experts’ chagrin, Kneber quickly rose to botnet fame in the past few weeks. There was a lot of talk and speculation about the “new” botnet in town, with people clamoring for more information on what seemed to be the malware of the moment. In the end, however, its true identity was revealed—Kneber proved to be not an entirely new botnet but merely a specific ZBOT/ZeuS compromise. In other words, it was merely playing a small part in the already carefully scripted and full-scale production that is ZeuS. The Threat Defined ZeuS: A Bot by Any Other Name This threat goes by different names—ZBOT, WSNPOEM, PRG, TROJ_AGENT, and, more recently, Kneber. At the end of the day though ZeuS remains what may be the most pernicious botnet today. Despite the novelty of the Kneber botnet , in reality, ZeuS has been seen in the wild as early as 2005, its earliest notable use was in 2008, as introduced by the equally infamous Rock Phish Gang who are known for their easy-to-use phishing kits. What was then considered an important development in phishing tactics proved to be just a turning point in ZeuS' plot. By planting a spyware onto users’ systems, cybercriminals made information theft a whole lot easier. The rest, as they say, is history. Since 2007, Trend Micro has been monitoring the ZeuS botnet and ZBOT variants. To date, we have created more than 2,000 ZBOT detections , the number of which continues to grow every day. From the onset, ZBOT Trojans became known as bank-related data stealers, some were even found to use fast-flux botnets, particularly Avalanche , to spread their malicious intent. Earlier variants also led to ZBOT attacks that did not target specific companies. Instead, they were typically deployed via spammed messages that purported to come from legitimate companies. Using a variety of schemes—from digital certificates to bogus balance checker tools and fake Facebook login pages —ZBOT’s primary goal remained the same—stealing online bank account information. This slightly random tactic has been working well so far but ZBOT perpetrators are not resting on their laurels, as they continue to come up with bigger and better schemes as time goes by. A Work in Progress If there is anything that remained constant with ZBOT, it has got to be the consistent enhancements its perpetrators have been making to it over time. The persistence of the cybercriminals behind ZeuS is apparent with the many improvements that ZBOT variants have undergone since its public debut. The fact that the Kneber botnet recently hit 75,000 systems in one blow proves that the minds behind ZBOT have no plans to take a curtain call anytime soon. ZBOT variants usually arrive as compressed files, which makes code analysis and tracing more difficult. Over time, however, they used increasingly complex packers. Their list of targeted entities and monitored sites has likewise substantially grown. In the past, a good majority of the companies in their list were banks. Today, social-networking sites such as Facebook, MySpace, and Orkut have also been consistently making the cut, along with e-commerce sites like eBay, as evidenced by variants such as TSPY_ZBOT.ILA , TSPY_ZBOT_ILB , and TSPY_ZBOT.ILC . Figure 1. A typical ZBOT infection diagram Recent spam runs also showed an increasing diversity in targets. Two notable samples indicate that spammers are becoming bolder and are stepping up to the challenge of finding new ways to top the malware charts via spammed messages supposedly from various companies' IT support personnel that used actual companies’ domain names in the addresses in both the From and To fields and 1 of 2 – WEB THREAT SPOTLIGHT
Transcript
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 58 MARCH 1, 2010
Kneber Takes the ZBOT/ZeuS Stage Much to the security experts’ chagrin, Kneber quickly rose to botnet fame in the past few weeks. There was a lot of talk and speculation about the “new” botnet in town, with people clamoring for more information on what seemed to be the malware of the moment. In the end, however, its true identity was revealed—Kneber proved to be not an entirely new botnet but merely a specific ZBOT/ZeuS compromise. In other words, it was merely playing a small part in the already carefully scripted and full-scale production that is ZeuS.
The Threat Defined
ZeuS: A Bot by Any Other Name
This threat goes by different names—ZBOT, WSNPOEM, PRG, TROJ_AGENT, and, more recently, Kneber. At the end of the day though ZeuS remains what may be the most pernicious botnet today. Despite the novelty of the Kneber botnet, in reality, ZeuS has been seen in the wild as early as 2005, its earliest notable use was in 2008, as introduced by the equally infamous Rock Phish Gang who are known for their easy-to-use phishing kits. What was then considered an important development in phishing tactics proved to be just a turning point in ZeuS' plot. By planting a spyware onto users’ systems, cybercriminals made information theft a whole lot easier. The rest, as they say, is history.
Since 2007, Trend Micro has been monitoring the ZeuS botnet and ZBOT variants. To date, we have created more than 2,000 ZBOT detections, the number of which continues to grow every day. From the onset, ZBOT Trojans became known as bank-related data stealers, some were even found to use fast-flux botnets, particularly Avalanche, to spread their malicious intent. Earlier variants also led to ZBOT attacks that did not target specific companies. Instead, they were typically deployed via spammed messages that purported to come from legitimate companies. Using a variety of schemes—from digital certificates to bogus balance checker tools and fake Facebook login pages—ZBOT’s primary goal remained the same—stealing online bank account information. This slightly random tactic has been working well so far but ZBOT perpetrators are not resting on their laurels, as they continue to come up with bigger and better schemes as time goes by.
A Work in Progress
If there is anything that remained constant with ZBOT, it has got to be the consistent enhancements its perpetrators have been making to it over time. The persistence of the cybercriminals behind ZeuS is apparent with the many improvements that ZBOT variants have undergone since its public debut. The fact that the Kneber botnet recently hit 75,000 systems in one blow proves that the minds behind ZBOT have no plans to take a curtain call anytime soon.
ZBOT variants usually arrive as compressed files, which makes code analysis and tracing more difficult. Over time, however, they used increasingly complex packers. Their list of targeted entities and monitored sites has likewise substantially grown. In the past, a good majority of the companies in their list were banks. Today, social-networking sites such as Facebook, MySpace, and Orkut have also been consistently making the cut, along with e-commerce sites like eBay, as evidenced by variants such as TSPY_ZBOT.ILA, TSPY_ZBOT_ILB, and TSPY_ZBOT.ILC.
Figure 1. A typical ZBOT infection diagram
Recent spam runs also showed an increasing diversity in targets. Two notable samples indicate that spammers are becoming bolder and are stepping up to the challenge of finding new ways to top the malware charts via spammed messages supposedly from various companies' IT support personnel that used actual companies’ domain names in the addresses in both the From and To fields and
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.
from the National Intelligence Council (NIC), which primarily targeted people and organizations with .gov and .mil email addresses. To a certain extent, ZBOT is becoming more selective with its audience.
Kneber’s Five Minutes of Fame
While it has been established that Kneber is no different from the ZeuS botnet that compromised some 100 million IP addresses, there remain questions regarding its true nature such as "Where did the term 'Kneber' come from?" As mentioned in an FAQ page, the name was derived from the email address (HilaryKneber[at]yahoo.com) that figured in this specific ZBOT campaign. What was more notable about the email address, however, was its involvement in a money-mule scam and in several domains that serve as malware vectors. This further proved that Kneber is not a newbie in this long-running crimeware episode.
Figure 2. A tailor-made ZBOT spam
While Kneber does not exactly bring anything new to the ZBOT/ZeuS story, its stint in the limelight serves as a critical reminder that the data-stealing malware is well and alive. As mentioned in the Trend Micro's The Future of Threats and Threat Technologies: How the Landscape Is Changing report, bots cannot be stopped—at least, not in the foreseeable future. Likewise, cybercrimes will persist, as the underground economy continues to thrive and attract even more criminals.
User Risks and Exposure As mentioned earlier, cybercriminals generate a list of bank, financial institution, social-networking, and e-commerce sites from which they try to steal sensitive online banking-related information such as user names and passwords. ZBOT variants then monitor users' browsing activities (both HTTP and HTTPS) using window titles or address bar URLs as attack triggers. This routine risks exposing users' account information, which may then lead to their unauthorized use. They can also be used in money-mule scams. Users should thus note that when it comes to ZBOT, information is "gold."
Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.
In this attack, Smart Protection Network™’s email reputation service blocks all related spammed messages from getting into users’ inboxes. Its Web reputation service prevents user access to identified malicious domains and subdomains, including the two URLs ZBOT typically uses to download binary updates or payloads and configuration files. Finally, file reputation service detects and consequently removes malicious files related to all known ZBOT variants.
The following posts at the TrendLabs Malware Blog discuss this threat: http://blog.trendmicro.com/rock-phishers-up-the-ante-with-more-digital-certificates/ http://blog.trendmicro.com/phishing-in-the-guise-of-enhancing-security/ http://blog.trendmicro.com/bogus-balance-checker-tool-carries-malware/ http://blog.trendmicro.com/are-you-being-facebook-phished/ http://blog.trendmicro.com/zbot-spam-campaign-continues/ http://blog.trendmicro.com/zbot-variant-spoofs-the-nic-to-spam-other-government-agencies/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ILA http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ILB http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ILC Other related posts are found here: http://about-threats.trendmicro.com/VINFO/RelatedThreats.aspx?id=16&language=en&name=The%20ZeuS,%20ZBOT,%20and%20Kneber%20Connection&tab= malware http://www.networkworld.com/news/2009/102309-avalanche-phishing.html?hpg1=bn http://www.pcworld.com/article/189717/kneber_botnet_attacks_pcs_worldwide_faq.html http://www.krebsonsecurity.com/2010/02/zeus-attack-spoofs-nsa-targets-gov-and-mil http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/wp03_ghosts_090930us__2_.pdf http://blogs.zdnet.com/security/?p=5508 http://ddanchev.blogspot.com/2009/12/celebrity-themed-scareware-campaign_07.html http://countermeasures.trendmicro.eu/kneber-for-sale-or-rent-rooms-to-let-50-cents/ http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/trend_micro_2010_future_threat_report_final.pdf
