New Zeus Botnet – Kneber (Feb 18, 2010)


SonicWALL UTM Research team observed reports of the Kneber Botnet today morning that compromised over 75,000 systems including government agencies worldwide. This is not a new Botnet but a standard Zeus Botnet that we have covered in detail in one of our SonicAlert last year – Zeus Trojan Family.

New variants of Zeus Botnet appear constantly in the wild. The name Kneber comes from the user name associated with one of its controller domain

A look-up of this domain from yields the following information where the registrant email address bears its last name ‘Kneber’, thus the name of this Botnet.

    Domain Name:
    ROID: 20091210s10001s86100640-cn
    Domain Status: ok
    Registrant Organization: Hilary
    Registrant Name: Hilary
    Administrative Email:

    Registration Date: 2009-12-10 21:10
    Expiration Date: 2010-12-10 21:10

This new variant has the following characteristics generic to Zeus Botnet:

    File Creation:
    [System Folder]sdra64.exe
    [System Folder]lowsec
    [System Folder]lowseclocal.ds
    [System Folder]lowsecuser.ds

    Note: [System Folder] is the default windows installation folder. Typically its C:Winntsystem32 for Windows 2000 and NT and C:WindowsSystem32 for XP, Vista, and Windows 7.

    Registry Modification:
    This botnet modifies this registry entry to ensure its automatic execution on every Windows startup.

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: “Userinit”
    Original Data: “C:\WINDOWS\system32\userinit.exe,”
    Modified Data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\sdra64.exe,”

    Process Termination
    This Botnet tries to terminate firewall application to allow itself to run without interruption.

    • Outpost Firewall
    • Zone Alarm Firewall

SonicWALL Gateway AntiVirus provides protection against this Botnet via following GAV signatures:

  • GAV: Zbot.HNO (Trojan)
  • GAV: ZBot.gen (Trojan)
  • GAV: Zbot.AEZ (Trojan)
  • GAV: Zbot.ABC (Trojan)
  • GAV: Zbot.CMS (Trojan)
  • GAV: Zbot.RL (Trojan)
  • GAV: Zbot.IXC (Trojan)
  • GAV: Zbot.CFA (Trojan)
  • GAV: Zbot.gen.C (Trojan)
  • GAV: Zbot.ADFY_2 (Trojan)
  • GAV: Zbot.CA (Trojan)



Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.