Select Page

Security blogger Brian Krebs on Friday wrote a column on the spreading infections from the Kneber botnet, which apparently caught a lot of peoples’ eyes. The question has come up “does VIPRE protect me against Kneber?”

Kneber is simply a name that Netwitness gave to a variant of Zbot (also called Zeus.) It is not new. Our detections for some of the earliest variants date back to late 2006.

VIPRE detections for Zbot/Zeus/Kneber have been in place for some time. They actually are very good detections — among the top in the AV industry.

Krebs column here.

Update 02/22:

The DaniWeb site is carrying a story on this that suggests where the name “Kneber” came from:

“The reason some folks have nicknamed it Kneber is that the malware domains involved in this particular branch of the Zeus botnet have “Hilary Kneber” listed as the domain registrant. Of course, Hilary Kneber is likely a completely made-up name” comments Mary Landesman, senior security researcher at ScanSafe.

DaniWeb story here.

Update 02/22 12 p.m. EST

Here are some more good details about the Kneber/Zbot/Zeus history from Dancho Danchev on ZDNet:

01. Why the name Kneber botnet?

The name Kneber comes from the email used to register the initial domain, used in the campaign – HilaryKneber@yahoo.com. What’s particularly interesting about this email, is the fact that it was also profiled in December, 2009’s “Celebrity-Themed Scareware Campaign Abusing DocStoc” analysis, linking it to money-mule recruitment campaigns back then.

02. My time is precious. In short, what is the Kneber botnet at the bottom line?

It’s a mini Zeus crimeware botnet, one of the most prevalent malicious software that successfully undermining two-factor authentication on the infected hosts (Report: 48% of 22 million scanned computers infected with malware), and is slipping through signatures-based antivirus detection (Modern banker malware undermines two-factor authentication) due to the systematically updated binaries.

Story here.

— Tom Kelchner