• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Kneber botnet - upcoming threat

Modelworks

Modelworks

Lifer
Was reading the white paper on kneber , a new botnet that has started making rounds. As of Jan 26,2010 there were 74,000 pc in the net. This isn't the usual popup, redirect or annoy malware but one that installs itself and does everything it can to keep the user unaware that it is installed.


The infected machines were comprised of :
Local, State and Federal Government Agencies
Financial Institutions
Energy Companies
Internet Service Providers
Educational Institutions
Technology Companies

Items targeted were security certificates , total so far 1972 unique certificates.
Some of the places targeted.
https://internetbanking.gad.de*
https://www.citibank.de*
http://ebay.com/*
https://www.us.hsbc.com*
https://www.eEgold.com*
https://online.wellsfargo.com*
https://www.paypal.com*
https://www.usbank.com*
https://www.tdcanadatrust.com*
https://onlinebanking.nationalcity.com*
https://www.citizensbankonline.com*
https://onlinebanking.nationalcity.com*
https://www.suntrust.com*
https://www.53.com*
https://web.daEus.citibank.com*
https://onlineeast.bankofamerica.com*
https://online.wamu.com*
https://onlinebanking.wachovia.com*
https://resources.chase.com*
https://bancaonline.openbank.es*
https://extranet.banesto.es*
https://empresas.gruposantander.es*
https://www.bbvanetoffice.com*
https://www.bancajaproximaempresas.com*
https://probanking.procreditbank.bg*
https://ibank.internationalbanking.barclays.com*
https://onlineEoffshore.lloydstsb.com*
http://www.hsbc.co.uk*
https://www.nwolb.com*
https://home.ybonline.co.uk*
https://home.cbonline.co.uk*
https://internetbanking.gad.de*
https://www.citibank.de*
http://ebay.com/*
https://www.us.hsbc.com*
https://www.eEgold.com*
https://online.wellsfargo.com*
https://www.paypal.com*
https://www.usbank.com*
https://www.tdcanadatrust.com*
https://onlinebanking.nationalcity.com*
https://www.citizensbankonline.com*
https://onlinebanking.nationalcity.com*
https://www.53.com*
https://web.daEus.citibank.com*
https://onlineeast.bankofamerica.com*
https://onlinebanking.wachovia.com*
https://resources.chase.com*
https://bancaonline.openbank.es*
https://extranet.banesto.es*
https://empresas.gruposantander.es*
https://www.bbvanetoffice.com*
https://www.bancajaproximaempresas.com*
https://probanking.procreditbank.bg*
https://ibank.internationalbanking.barclays.com*
https://onlineEoffshore.lloydstsb.com*
http://www.hsbc.co.uk*
https://www.nwolb.com*
https://home.ybonline.co.uk*
https://home.cbonline.co.uk*


Notice these are all SSL and not the normal http sites.


Phrases the malware also looked for were:
What is your mother’s maiden name?”
“What street did you grow up on?”
“What was your first pet’s name?”

Sites the information is eventually sent to were all in China.
Click to expand...
 
Skynet lives!!!! D:

They are getting sophisticated - it is all about the money. :twisted:

Those are standard ID questions for online banking.
 
I'm staying with some nice peeps down in NorCal and I think the mom's computer got hit, but I'm having trouble finding a definitive way to tell whether it's Kneber or not. Looks a bit likely due to the behavior with Yahoo Mail and the timing but I'd like to be able to help her at least tell whether it's Kneber or not. Anyone heard of reg settings or other items I can check? (They're running XP.)
 
I don't know the details of this botnet and what it does to computers, but i'd try to scan it offline with an antivirus cd such as one from Antivir and also do some spyware scanning in safe mode to see if anything comes up.

AreaCode707 said:
I'm staying with some nice peeps down in NorCal and I think the mom's computer got hit, but I'm having trouble finding a definitive way to tell whether it's Kneber or not. Looks a bit likely due to the behavior with Yahoo Mail and the timing but I'd like to be able to help her at least tell whether it's Kneber or not. Anyone heard of reg settings or other items I can check? (They're running XP.)
Click to expand...
 
I still think the owners of these infected machines should be held legally responsible and have a certain time period to rectify the problem or they face severe legal charges. They have to learn somehow. It's too hard to track the ones controlling these botnets, and those are the people we really want to get, but it's easier to track the owners so that said, the responsibility should just fall on them. It is afterall their equipment that is attacking others.


It's actually scary to think that all those sites listed let themselves be infected. Some of these are huge companies that should have dedicated security staff monitoring 24/7.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top