Kneber Botnet - less fluxy but more stealthy

The recent news story about the Kneber botnet based on the excellent work done by the NetWitness team and informative posts by Dancho Danchev and others brought the ZeuS Trojan botnet into limelight. In contrast to some misleading reports, the security community has been following this botnet, which infected more than 75,000 computer systems at nearly 2,500 companies, for quite a long time. We have been tracking ZeuS with our Fast Flux Monitor for some time as well. Given the recent interest in this botnet, we decided to analyze the reported ZeuS data using our Fast Flux Monitor database to provide some additional insight. Most of the domain, nameserver and IP entities associated with the attacking infrastructure reported in the NetWitness Kneber report have been in our FastFluxMonitor database. What is interesting is that most of the reported Kneber domains and nameservers are not exhibiting fast flux behavior. For instance, all of the reported Kneber domains for the Trojan installers resolve to 1 to 4 IPs, which is not enough for using a fast flux evasion scheme. The number of domains the Kneber Trojan installers resolve to are shown in the table below.

ZeuS Installer.jpg

Comparing the ZeuS network graph with the various botnets in our database reveals that ZeuS botnet has a different network graph than others like Avalanche, Conficker, Gumblar and Pushdo. The figure below shows the domain, nameserver and IP connectivity for the Avalanche botnet:


In this graph, the blue, red, green nodes denote the IPs, domains, and nameservers addresses, respectively. Each cluster represents a set of entities where any two nodes can be linked through the domain, nameserver and IP connectivity . The Avalanche graph has one large cluster and six small clusters, making it easy to discover the various entities of this botnet. In contrast, the same graph for the ZeuS botnet shown below has one large cluster and over 200 small clusters, thus making it hard to discover the various entities of this botnet.

ffm_zeus_network jpeg.jpg

Referring to the data shown in the table above, the reported Kneber domains and nameservers belong to one of the small clusters on the right. These clusters consist of domains and nameservers that do not exhibit fast flux behavior. Whether the small clusters represent the discreet probe of networks by large criminal organizations, or small operator hosting set-ups that downloaded free phishing kits, the ZeuS botnet is stealthier than the others by relying on a large number of smaller clusters used for attack campaigns.

We will present our comparative analysis of the Avalanche, Conficker, Gumblar, Pusdhdo, and ZeuS at the NATO IST-091 Symposium on "Information Assurance and Cyber Defence", which will provide an explanation for the difference.