February 19, 2010, 1:42 PM — Information gathered about a newly discovered botnet called Kneber indicates that multiple infections by different malware on the same host could work together as a sophisticated mechanism to give all the malware a better survival rate.
America's 10 most wanted botnetsThe sheer size of the Kneber botnet -- 74,000 compromised computers in 2,400 different companies -- attracted most of the attention when Kneber was revealed Thursday. But how it interacts with other malware networks suggests a symbiotic relationship that ultimately makes each botnet more resistant to being dismantled, says Alex Cox, the senior consultant in the research department at NetWitness who discovered Kneber.
Kneber was built using a well-established toolkit for aggregating botnets called ZeuS that has been around for years. Kneber is an example of just one botnet built with the toolkit, but because Cox captured 75GB of log data from the command-and-control server, he was able to examine detailed characteristics of the computers ZeuS took over.
What he found is that more than half the 74,000 compromised computers -- bots -- within Kneber were also found infected with other malware that uses a different command-and-control structure. If one of the criminal networks were disabled, the other could be used to build it up again,
"At the very least, two separate botnet families with different [command-and-control] infrastructures can provide fault tolerance and recoverability in the event that one [command-and-control] mechanism is taken down by security efforts," he says in his written analysis of the Kneber botnet.
In this case, more than half the machines that made up the botnet were infected with both ZeuS, which steals user data, and Waledac, a spamming malware that uses peer-to-peer mechanisms to spread more infections, he says. He can't conclude for sure that they're working together in this case, but the presence of both introduces an interesting possibility: If the ZeuS command-and-control infrastructure is cut down, the owner of the ZeuS botnet could go to the person running the Waledac botnet and pay for it to push a ZeuS upgrade that brings the ZeuS bots back online reporting to a new server, he says.
Alternatively, a single group could run both the ZeuS and Waledac botnets and push the upgrade itself. "From a disaster-recovery perspective, it makes sense," Cox says.
The Kneber server log contained individuals' passwords to sites including Facebook and Yahoo as well as a slew of financial sites including CitiBank, Wells Fargo, PayPal, Citizens Bank and HSBC Bank, according to Cox's report on Kneber.