Earlier today, security firm NetWitness reported the discovery of a cache of stolen data harvested by the Zeus botnet. According to that report, the stolen data "included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines."

Somewhere along the line, people began referring to this attack as the "Kneber botnet". In reality, it's still Zeus. The reason some folks have nicknamed it Kneber is that the malware domains involved in this particular branch of the Zeus botnet have "Hilary Kneber" listed as the domain registrant. Of course, Hilary Kneber is likely a completely made-up name.

The Zeus botnet has been active on the Web for over a year. In our 1Q08 Global Threat Report, ScanSafe reported on the surge of Zeus-related activity via the Web and specifically it's joining forces with the LuckySploit framework.

Zeus malware is known for browser traffic sniffing, intercepting POST data and keystrokes associated with the active browser session, as well as clipboard data passed to the browser. Zeus malware also typically disables firewalls and other security software on infected systems, as well as blocking access to security vendor websites and services. For example, Zeus can prevent antivirus signatures from being updated. Zeus trojans also employ rootkits to remain hidden on infected systems.

In 2009, malware associated with Zeus accounted for 1% of all ScanSafe Web malware blocks for the year. (For more details on botnet activity, download the ScanSafe 2009 Annual Global Threat Report). For the "Kneber" domains specifically, some of the detection names related to those blocks include:

Backdoor.Win32.Agent.amsu
Backdoor.Win32.Goolbot.as
Backdoor.Win32.HareBot.anq
Exploit.JS.DirektShow.y
Exploit.JS.Pdfka.amf
Exploit.JS.Pdfka.apf
Exploit.JS.Pdfka.arr
Exploit.JS.Pdfka.ast
Exploit.JS.Pdfka.atz
Exploit.JS.Pdfka.azm
Exploit.JS.Pdfka.bgj
Exploit.Win32.Pidief.bmr
Exploit.Win32.Pidief.cvw
Heuristic
oi.pdf.explt.07-5659
oi.pdf.explt.08-2992
oi.pdf.susp
oi.script.activeX.funcArg
oi.script.overflow
oi.win32.susp.AS
oi.win32.susp.CH
oi.win32.susp.CJ
oi.win32.susp.GB
oi.win32.susp.GV
oi.win32.susp.QE
oi.win32.susp.QK
oi.win32.susp.US
oi.win32.susp.WH
oi.win32.susp.YK
oi.win32.susp.YU
Packed.JS.Agent.bm
Packed.JS.Agent.bo
Trojan.JS.Agent.akm
Trojan.JS.Agent.aqe
Trojan.JS.Agent.avb
Trojan.JS.Agent.axw
Trojan.JS.Iframe.ef
Trojan.JS.Pakes.bq
Trojan.JS.Redirector.ag
Trojan.JS.RSAcrypt.a
Trojan.Win32.Agent.clsj
Trojan.Win32.Agent2.krj
Trojan.Win32.Agent2.ksd
Trojan.Win32.Scar.axus
Trojan.Win32.Small.bzh
Trojan.Win32.Tdss.avey
Trojan-Clicker.HTML.IFrame.fh
Trojan-Clicker.HTML.IFrame.g
Trojan-Clicker.JS.Iframe.bj
Trojan-Downloader.Java.Agent.ab
Trojan-Downloader.Java.Agent.af
Trojan-Downloader.Java.Agent.aj
Trojan-Downloader.Java.OpenStream.ad
Trojan-Downloader.Java.OpenStream.af
Trojan-Downloader.JS.Agent.esk
Trojan-Downloader.JS.Agent.euq
Trojan-Downloader.JS.Agent.evq
Trojan-Downloader.JS.Kazmet.b
Trojan-Downloader.JS.Kazmet.f
Trojan-Downloader.JS.Kazmet.g
Trojan-Downloader.JS.Major.a
Trojan-Downloader.JS.Major.e
Trojan-Downloader.JS.Plif.a
Trojan-Downloader.Win32.Agent.bxmo
Trojan-Dropper.Win32.Agent.bjzy
Trojan-Dropper.Win32.BHO.bo
Virus.Win32.Virut.ce

Note that detection names are generic - not all malware blocked by one of these threatnames will be related to the Kneber branch of the Zeus botnet. Following are some of the domain names and IP addresses associated with the Kneber branch of Zeus:

58.218.199.239
59.53.91.102
60.12.117.147
61.235.117.71
61.235.117.86
61.4.82.216
193.104.110.88
95.169.186.103
222.122.60.186
217.23.10.19
85.17.144.78
200.106.149.171
200.63.44.192
200.63.46.134
91.206.231.189
124.109.3.135
61.61.20.134
91.206.201.14
91.206.201.222
91.206.201.8
216.104.40.218
69.197.128.203  
123.30d5546ce2d9ab37.d99q.cn
d99q.cn
524ay.cn
adcounters.net
adobe-config-s3.net
mywarworld.cn
aqaqaqaq.com
avchecker123.com
bizelitt.com
biznessnews.cn
bizuklux.cn
fcrazy.com
fcrazy.eu
boolred.in
brans.pl
britishsupport.net
bulkbin.cn
chaujoi.cn
checkvirus.net
chinaoilfactory.cn
chris25project.cn
client158.faster-hosting.com
cwbnewsonline.cn
cxzczxccc.com.cn
dasfkjsdsfg.biz
dia2.cn
digitalinspiration.e37z.cn
dolbanov.net
dolcegabbana.djbormand.cn
djbormand.cn
download.sttcounter.cn
sttcounter.cn
dred3.cn
dsfad.in
e37z.cn
e58z.cn
electrofunny.cn
electromusicnow.cn
elsemon.cn
fcrazy.info
filemarket.net
flo5.cn
footballcappers.biz
fobsl.cn
forum.d99q.cn
gamno6.cn
gidrasil.cn
gifts2010.net
ginmap.cn
giopnon.cn
gksdh.cn
glousc.com
gnfdt.cn
gold-smerch.cn
goldenmac.cn
google.maniyakat.cn
maniyakat.cn
greenpl.com
grizzli-counter.com
grobin1.cn
inpanel.cn
itmasterz.org
iuylqb.cn
kaizerr.org
keepmeupdated.cn
khalej.cn
kimosimotuma.cn
klaikius.com
klitar.cn
kolordat482.com
kotopes.cn
liagand.cn
love2coffee.cn
majorsoftwareupdate.info
marcusmed.com
mcount.net
mega-counter.com
monstersoftware.info
morsayniketamere.cn
mydailymail.cn
mynewworldorder.cn
newsdownloads.cn
nit99.biz
nm.fcrazy.com
nmalodbp.com
not99.biz
online-counter.cn
pedersii.net
piramidsoftware.info
popupserf.cn
qaqaqaqa.com
qaqaqaqa.net
qbxq16.com
redlinecompany.ravelotti.cn
ravelotti.cn
relevant-information.cn