Check Point Advisories

Botnet: Kneber

Vulnerability
Protection

Check Point Reference:	CPAI-2010-038
Date Published:	22 Feb 2010
Severity:	Critical
Last Updated:	Monday 22 February, 2010
Source:
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	Kneber (Zbot, BTN1) is a form of malware which is reported to have affected more than 74,000 PCs in 2,400 business and government systems around the world. Kneber, named after the username linking the infected computers worldwide (Hilary Kneber), is related to the ZeuS botnet, a malware botnet package that is readily available for sale and also traded in underground cybercriminal forums. The Kneber/Zeus botnet gathers login credentials to online financial systems, social networking sites and e-mail systems from infested computers and reports the information back to botnet owners and their clients. They, in turn, use the information to break into accounts, steal corporate and government information, and steal personal and financial identities. According to the researcher who discovered Kneber, Alex Cox from NetWitness, more than half of the computer systems in the Kneber botnet also have the Waledac Trojan, a worm known to create email spam botnets that was recently associated with conficker.

Protection Overview

The protection will detect and block the Kneber botnet attacks.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Botnet: Kneber protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Web Client Enforcement Violation.
Attack Information: Botnet: Kneber