Kneber for sale or rent (rooms to let 50 cents)*

I realise I might be getting a reputation as the infosec curmudgeon, always ready with a bucket of cold water when the occasion demands, but once again I feel moved to write about hype.

“Seemingly there is no reason for these extraordinary intergalactical upsets. Only Dr Hans Zarkov formerly at NASA has provided any explanation”*

Stories in the press recently have been aghast at the scale of a “new” botnet called Kneber. According to a report from NetWitness one particular botnet that uses the ZeuS crimeware has successfully infiltrated thousands of corporations and tens of thousands of computers. This is of course terrible news for the companies affected and certainly many corporate security lessons can be learned from experiences such as this.


What is important to point out though is that there is nothing at all that is “new” or “unprecedented” about a botnet using ZeuS or a botnet of this size, ZeuS (or ZBot) has been around since at least 2007. In the online underground ZeuS is the equivalent of commodity crimeware. It is openly traded in online forums both as a software product and as preinfected botnets. Increasingly providers are finding that they must bundle services with their criminal offering, or Crimeware as a Service.


Screen shot from underground forum

Screen shot from underground forum


Older versions of the software are downloadable free of charge, though these are often backdoored by other criminals. There is no honour among thieves. In fact botnets are in such plentiful supply that the price of preinfected machines is surprisingly low.

Screen shot from underground forum

175 thousand bots for sale... globally.


Of course if you don’t have the means or the desire to run your own botnet, you can always simply buy the output…

I'm a lumberjack and I'm OK. Logs for sale.


A quick look at ZeuS Tracker shows they are tracking almost 1300 command & control servers for various ZeuS botnets of which about half are online right now. They show the average binary detection rate (how your antivirus products detects using pattern files or signatures) is as low as 49.62% which goes some way towards explaining the successful infection rate.
It is widely known that malware writers and other criminals have already worked out how to overcome traditional anti-malware protection that relies on pattern or signature updates. They simply roll their code as often as possible, estimates say that we are currently seeing a unique malicious binary every 1.5 seconds.
So here’s corporate security lesson number one from this recent publicity…
Make sure your anti-malware solution is not relying simply on the infection layer “what the file looks like“; make sure that it is also investigating the exposure layer, “where the file comes from and who the file reports back to“. If ZeuS Tracker knows where the bad guy servers are, so should every one of your endpoints. At that point, what the actual binary looks like becomes a secondary issue.

By the way here is a free tool to check if you are a part of a bot network.
* With apologies to Roger Miller and Queen

4 thoughts on “Kneber for sale or rent (rooms to let 50 cents)*

  1. Pingback: Kneber for sale or rent (rooms to let 50 cents)* | Business Computing World

  2. Pingback: Kneber disponível para venda ou aluguer no mercado negro | WebSegura.Net

    1. Rik Ferguson Post author

      Hi Tim,

      Thanks for the comment, that’s exactly the point I am making, it is relatively trivial for a criminal to test their malicious binaries until they are no longer detected, by any vendor, before release. In fact there are criminal services that do this on an automated basis. Obviously once infected most “good” malware will blackhole security vendor sites. That is why it is important that serious anti-malware products do not simply focus on the file content but look at other vectors as well such as download sources, email sources and phone home activity. Pattern-based detection offers baseline protection, at best.

      This rolls over into a bigger discussion around testing methodologies for security products. If you take a big pool of sample files and run each product against them, this no longer (with advanced solutions like OfficeScan) gives you any idea at all about whether or not you would have been protected by that vendor. Would you have received the malicious email that contained the malicous link or file or would it have been blocked? If you had clicked the malicious link would you have been allowed to access the site or would it have been blocked? If you did get infected, would the bot have been able to phone home to process updates or send all the stolen data out? These are challenges that need be addressed in the exposure layer, NOT just in the infection layer.



Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.