NetWitness Community

REPOST - ORIGINALLY POSTED OCTOBER 7, 2010

The press has been a buzz over the past few weeks with news of law enforcement busts of some prominent ZeuS miscreants.

This has renewed interest at NetWitness around the data and publication of our “Kneber” paper, which documented the data stolen by a large ZeuS botnet.

Today I took a second look at the domains reported to malwaredomainlist.com (since in the release of our research in February) that were registered by our nemesis,  hilarykneber@yahoo.com

http://www.malwaredomainlist.com/mdl.php?search=kneber&colsearch=Registrant&quantity=all

Here’s what I found:

Since February, seven-one new “kneber” domains have been identified as malicious and whois records indicate the vast majority of them were created after the publication of our research:

• Created On:09-Feb-2010 20:20:43 UTC
• Created On:13-Apr-2010 14:58:46 UTC
• Created On:20-Jan-2010 13:02:23 UTC
• Created On:20-Jan-2010 13:02:23 UTC
• Created: 2009-12-22
• Created: 2010-01-14
• Created: 2010-02-09
• Created: 2010-02-11
• Created: 2010-02-12
• Created: 2010-02-17
• Created: 2010-02-18
• Created: 2010-02-23
• Created: 2010-02-23
• Created: 2010-03-11
• Created: 2010-03-11
• Created: 2010-03-11
• Created: 2010-03-15
• Created: 2010-03-15
• Created: 2010-03-15
• Created: 2010-03-16
• Created: 2010-04-13
• Created: 2010-04-27
• Created: 2010-05-06
• Created: 2010-05-26
• Created: 2010-06-10
• Created: 2010-06-14
• Created: 2010-06-14
• Created: 2010-06-25
• Created: 2010-06-29
• Created: 2010-07-05
• Created: 2010-07-08
• Created: 2010-07-16
• Created: 2010-07-26
• Created: 2010-07-29
• Created: 2010-08-01
• Created: 2010-08-02
• Created: 2010-08-06
• Created: 2010-08-06
• Created: 2010-08-06
• Created: 2010-08-13
• Created: 2010-08-14
• Created: 2010-08-14
• Created: 2010-08-17
• Created: 2010-08-26
• Created: 2010-08-28
• Created: 2010-08-28
• Created: 2010-08-28
• Created: 2010-08-28
• Created: 2010-09-05
• Created: 2010-09-09
• Created: 2010-09-21
• Created: 2010-09-21
• Created: 2010-10-05

Of these domains, 56 had registrar information in the whois records, and 53 of those were a single registrar: 

Registrar: BIZCN.COM, INC.

These domains are being reported for a number of different malicious elements, but there are 100 instances of ZeuS components from this group of domains, including:

• zeus v1 config file
• zeus v1 drop zone
• zeus v1 trojan
• zeus v2 config file
• zeus v2 drop zone
• zeus v2 trojan

So what does this tell us about the state of the internet? 

• Domain registration and monitoring of activities is still a weak point in the security of the internet.
• Top-level .com and .net dns providers are in a key place to act against this sort of activity but don’t.
• Despite massive press coverage and industry acknowledgement of hilarykneber@yahoo.com and associated maliciousness,  registrars (and BIZCN in particular) are still allowing ongoing registration by this email address, and not suspending existing “kneber” domains.
• Not surprisingly, ZeuS is still very active.

NetWitness customers that subscribe to NetWitness Live automatically detect these domains due to our partnership with malwaredomainlist.com.

Happy Hunting!

Alex Cox, Principal Research Analyst