What the Zeus!? Kneber botnet unmasked

Media reports from yesterday about a “broad new hacking attack” against corporations and government agencies gained a lot of attention.

Here are just a handful of the heart-stopping headlines we saw:

Inevitably many people have contacted Sophos asking about the mysterious “Kneber botnet”, and whether we can protect computers against it.

Obviously botnets are a big problem, but what many of the reports have missed is that “Kneber” is just another name for a family of malware which has been in existence for over two years called Zeus or ZBot.

Here, for instance, is a blog post from late 2007 where Fraser Howard of SophosLabs discussed one of the earliest versions of Zeus: “Zbot (aka Prg) banking Trojan distribution”.

We have discussed many many more aspects and examples of Zeus since, including last year I revealed on the Clu-blog that a man and woman were arrested in Manchester, UK, in relation to a strain of the Zbot/Zeus Trojan that they were allegedly spreading.

So, in reality, Kneber is nothing new at all. It’s just that the media latched onto a new name for a known threat.

Brian Krebs has written a good write-up about this on his blog.