Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Botnets: Kneber and Pushdo Protections
IPS Forum

(Industry Coverage: Network World, TrendMicro)

Kneber and Pushdo are command–and-control botnets, primarily targeting Microsoft Windows operating systems. Both botnets are able to make constant changes to their code which makes these botnets hard to detect.

Kneber/Zeus

Kneber (Zbot, BTN1) is a form of malware which is reported to have affected more than 74,000 PCs in 2,400 business and government systems around the world. Kneber, named after the username linking the infected computers worldwide (Hilary Kneber), is related to the Zeus botnet, a malware botnet package that is readily available for sale and also traded in underground cybercriminal forums.

The Kneber/Zeus botnet gathers login credentials to online financial systems, social networking sites and e-mail systems from infected computers and reports the information back to botnet owners and their clients. They, in turn, use the information to break into accounts, steal corporate and government information as well as personal and financial information.

According to the researcher who discovered Kneber, Alex Cox from NetWitness, more than half of the computer systems in the Kneber botnet also have the Waledac Trojan, a worm known to create email spam botnets that was recently associated with conficker. Check Point SmartDefense, IPS Software Blade, and IPS-1 detect and block attempts to connect to the Kneber/Zeus botnet. For more information, see CPAI-2010-038.

Pushdo

Pushdo, primarily a botnet used for sending spam emails that has been around since January 2007, contains an advanced downloader component that is able to constantly update itself with new components. Infected machines suffer complete compromise, leading to exposure of confidential information and further network compromise. Recently Pushdo made news again when changes in its code instructed infected nodes to create junk SSL connections to hundreds of SSL-enabled websites.

According to a study published by TrendMicro, Pushdo is the second largest spam botnet on the planet, believed to be responsible for approximately 7.7 billion spam emails per day making it responsible for 1 out of every 25 spam emails sent world-wide. Check Point provides protection that detects and blocks Pushdo denial-of-service attacks. For more information, see SBP-2010-10.