Kneber: InfoSec PR Wars

Yesterday the Wall Street Journal broke the story of a major botnet that has infected over 2,500 companies. That day I also received an email from a major anti-virus vendor that claimed the trojan used to create the botnet is well known and easily detectable. They sent it to me in the hopes that I would write their counter argument on

I couldn’t help but think that it was one company battling against another through PR. One seeks to publicize their name, the other seeks to claim it’s over-hyped (and hence get their name out there).

Here’s a sanitized version of the email:

There has been some recent high profile coverage of an online threat being referred to as “Kneber.” Some news coverage [company name removed] has observed has put forth that this is a new type of malware, which is simply not the case.

Kneber, in reality, is not a new threat at all, but is simply a pseudonym for the infamous and well-known Zeus Trojan. The name Kneber simply refers to a particular group, or herd, of zombie computers, a.k.a. bots, being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot, which also goes by the name Zeus, which has been being observed, analyzed and protected against for some time now.

Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strings, such as Kneber, of the overall Zeus botnet.

Though it is true that this Kneber string of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, computer users with up-to -date security software should already be protected from this threat. (emphasis mine)