Barrier1 and Kneber/Zeus Botnet
Kneber Botnet
Zeus Botnet Origins
Kneber recently infected more than 70,000 computers worldwide. To top it off, it infested large organization that claim to have use the latest and greatest. Some of the company’s reported to have been hit are Juniper Networks, Amazon Elastic Computing Cloud, and even the Swiss Phone company Telia Sonera.
Kneber is a spin off of the Zeus Botnet. They are prime examples of a truly blended thereat. These bots strategically gather information by operating underneath multiple thresholds that would expose them. They gather pieces of information slowly and in short bursts as not to trip one of the 1,000 of filters. Then they take the gathered information and send this information slowly back to their controller and wait for the specific command that launches the attack. The attack itself flies under the radar screen of the filters. Then add a little social engineering as to drive individuals to a web site where a virus is sitting in waiting in the hidden fields.
First, reconnaissance mission is to detect HKey_Current_Usr, Hket_local machine.software then Hkey_Local_machine\registry path. One it receives a kill command it overwrites virtual memory of windows with zero’s. At that point the OS in inoperable. Then when the information is gathered a kill command can be sent.
Part of this Botnet attack includes tricking individuals to a web site. In some of the phising scams an email claiming to be from Facebook arrives in your email. They ask you to do something. Something could be going to a certain web site, update your account, etc. Once you arrive at the site a virus that has been laying on the web site in a hidden field is downloaded to your PC.
Barrier1 has stopped this Botnet but it does take inspection of all 7 layers of the OSI. That means a full proxy based Web Application firewall. The second component needed is Intelligence. By gathering information about the various reconnaissance activities, Barrier1 learns from the various inspection points. Intelligence or network behavioral analysis along with the compete inspection points is the only way these botnets will be stopped.
Barrier1
Mpls., Minn.
2-10
Posted in Uncategorized