In my day-to-day discussions with peers and the general public, there is always something that I take away from the discussions. For instance, in the last few days there have been references to Kneber and Zeus as two different botnets. I'd like to take a moment to help clarify the fact that these are actually one in the same.
Actually, the heavy-lifting of creating an explanation came from our ESET Latin American office's Jorge Mieres (translation is courtesy of Google Translate). This was from a blog post that he made on 2/18/2010 (http://blogs.eset-la.com/laboratorio/2010/02/18/que-hay-de-cierto-respecto-botnet-kneber/):
Today's breakfast was greeted with "shocking news" that outlined the criminal capabilities of a botnet that was called Kneber in a report made by the company NetWitness. It apparently has an established network of 75,000 zombie computers, including government systems and major companies.
This supposed "new botnet" as it has been called, is nothing more or less than the known Zeus (as the same companies clarify), a network of infected computers which we have spoken about several times to try cases against Facebook, Amazon, Microsoft, even using the name of NOD32, and at 75,000 computers, perhaps for many it may seem it is a low number for a botnet. Zeus spreads a Trojan designed not only to recruit zombies, but also for different kinds of attacks of a financial nature, it is logical that criminal strategies are always aimed at governments and enterprises of different sizes, clearly including financial institutions and the banking industry.
This news, of "imminent danger, a new botnet discovered", can generate a new problem which no company should be affected by safeguarding their valued assets through security mechanisms. However, there is no reason to generate exaggerated alerts, it is best to check the proper functioning of security procedures implemented in the company and create awareness of this problem.
It was also announced that this "new attack" is much larger than reported by Google earlier this year, when the truth is we're not talking about an attack, we are talking about the criminal capabilities of a botnet common based on crimeware and every one of those infected computers (users or companies) are listening, waiting for malicious instructions.
While this single botnet had the capability to easily to recruit 75,000 computers and task them with carrying out out different types of fraudulent activities, the question we should ask is: what is the method used to prevent infections? For a system to fall into the hands of a Botmaster (person managing the botnet) there has to be an infection, either through deception or exploitation of any given vulnerability. We must therefore understand the importance of implementing security mechanisms in companies, understanding that the difference between a computers being clean or infected is to implement a policy in this regard and that the majority of prevention to avoid being part of a botnet , is implementing a security solution with proactive capabilities such as antivirus NOD32, which detects, as this case, all variants of Zeus.
Jorge Mieres Jorge Mieres
Analista de Seguridad Security Analyst
Author ESET Research, ESET