Kneber botnet - upcoming threat

[Modelworks]

Was reading the white paper on kneber , a new botnet that has started making rounds. As of Jan 26,2010 there were 74,000 pc in the net. This isn't the usual popup, redirect or annoy malware but one that installs itself and does everything it can to keep the user unaware that it is installed.

The infected machines were comprised of :
Local, State and Federal Government Agencies
Financial Institutions
Energy Companies
Internet Service Providers
Educational Institutions
Technology Companies

Items targeted were security certificates , total so far 1972 unique certificates.
Some of the places targeted.
https://internetbanking.gad.de*
https://www.citibank.de*
http://ebay.com/*
https://www.us.hsbc.com*
https://www.eEgold.com*
https://online.wellsfargo.com*
https://www.paypal.com*
https://www.usbank.com*
https://www.tdcanadatrust.com*
https://onlinebanking.nationalcity.com*
https://www.citizensbankonline.com*
https://onlinebanking.nationalcity.com*
https://www.suntrust.com*
https://www.53.com*
https://web.daEus.citibank.com*
https://onlineeast.bankofamerica.com*
https://online.wamu.com*
https://onlinebanking.wachovia.com*
https://resources.chase.com*
https://bancaonline.openbank.es*
https://extranet.banesto.es*
https://empresas.gruposantander.es*
https://www.bbvanetoffice.com*
https://www.bancajaproximaempresas.com*
https://probanking.procreditbank.bg*
https://ibank.internationalbanking.barclays.com*
https://onlineEoffshore.lloydstsb.com*
http://www.hsbc.co.uk*
https://www.nwolb.com*
https://home.ybonline.co.uk*
https://home.cbonline.co.uk*
https://internetbanking.gad.de*
https://www.citibank.de*
http://ebay.com/*
https://www.us.hsbc.com*
https://www.eEgold.com*
https://online.wellsfargo.com*
https://www.paypal.com*
https://www.usbank.com*
https://www.tdcanadatrust.com*
https://onlinebanking.nationalcity.com*
https://www.citizensbankonline.com*
https://onlinebanking.nationalcity.com*
https://www.53.com*
https://web.daEus.citibank.com*
https://onlineeast.bankofamerica.com*
https://onlinebanking.wachovia.com*
https://resources.chase.com*
https://bancaonline.openbank.es*
https://extranet.banesto.es*
https://empresas.gruposantander.es*
https://www.bbvanetoffice.com*
https://www.bancajaproximaempresas.com*
https://probanking.procreditbank.bg*
https://ibank.internationalbanking.barclays.com*
https://onlineEoffshore.lloydstsb.com*
http://www.hsbc.co.uk*
https://www.nwolb.com*
https://home.ybonline.co.uk*
https://home.cbonline.co.uk*


Notice these are all SSL and not the normal http sites.


Phrases the malware also looked for were:
What is your mother’s maiden name?”
“What street did you grow up on?”
“What was your first pet’s name?”

Sites the information is eventually sent to were all in China.

 

[jed.moulton]

Skynet lives!!!! D:

They are getting sophisticated - it is all about the money. :twisted:

Those are standard ID questions for online banking.

 

[AreaCode707]

I'm staying with some nice peeps down in NorCal and I think the mom's computer got hit, but I'm having trouble finding a definitive way to tell whether it's Kneber or not. Looks a bit likely due to the behavior with Yahoo Mail and the timing but I'd like to be able to help her at least tell whether it's Kneber or not. Anyone heard of reg settings or other items I can check? (They're running XP.)

 

[Chiefcrowe]

I don't know the details of this botnet and what it does to computers, but i'd try to scan it offline with an antivirus cd such as one from Antivir and also do some spyware scanning in safe mode to see if anything comes up.

I'm staying with some nice peeps down in NorCal and I think the mom's computer got hit, but I'm having trouble finding a definitive way to tell whether it's Kneber or not. Looks a bit likely due to the behavior with Yahoo Mail and the timing but I'd like to be able to help her at least tell whether it's Kneber or not. Anyone heard of reg settings or other items I can check? (They're running XP.)

 

[AreaCode707]

Wound up catching it with mbam and an associated virus with superantivirus. Thanks though!

 

[Red Squirrel]

I still think the owners of these infected machines should be held legally responsible and have a certain time period to rectify the problem or they face severe legal charges. They have to learn somehow. It's too hard to track the ones controlling these botnets, and those are the people we really want to get, but it's easier to track the owners so that said, the responsibility should just fall on them. It is afterall their equipment that is attacking others.


It's actually scary to think that all those sites listed let themselves be infected. Some of these are huge companies that should have dedicated security staff monitoring 24/7.