The takedown of the Waledac botnet that Microsoft executed this week – known internally as “Operation b49” – was the result of months of investigation and the innovative application of a tried and true legal strategy.


In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.


This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world.

via The Official Microsoft Blog – Cracking Down on Botnets.

Well done.


Port Austin, Mich. based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller was behaving oddly and would not respond. The company’s computer technician scoured the system with multiple security tools, and found it had been invaded by “ZeuS,” a highly sophisticated banking Trojan that steals passwords and allows criminals to control infected hosts remotely


“The bank said whoever logged in to make these transfers successfully answered those questions,” he said. “They had some very detailed information. [The thieves] knew our patterns, they knew our passwords, my mother’s middle name, favorite sports team. And this is all information I don’t even have written down anywhere.”

via Hackers Steal $150,000 from Mich. Insurance Firm — Krebs on Security.


The “Kneber” botnet is made up of 74,126 machines in 196 countries that were infected with a variant of Zeus, Alex Cox, a principal analyst at NetWitness and the botnet's discoverer, told SCMagazineUS.com on Thursday.

The stolen data also includes credentials for corporate accounts and online banking sites, Cox said. The gang of hackers behind the attack, believed to be from Eastern Europe, have likely stolen millions of credentials.Cox discovered the botnet on Jan. 26 during routine analysis of a client's enterprise network.


The botnet was named Kneber, after the email address used to register the command-and-control server linking infected systems worldwide, he said.

via Newly discovered Zeus spinoff botnet has wide impact – SC Magazine US.

Here the NetWitness research paper.

From Kneber FAQ :

06. What’s so special about it?

It’s the fact that despite the crimeware’s advanced E-banking sessions hijacking, the primary objective of their campaign — at least based on the sample analyzed by NetWitness researchers — was to steal social networking credentials.

Moreover, the Kneber botnet is a good example of an ongoing trend aiming to build and maintain beneath the radar botnets


Czech Researchers Say “Chuck Norris” Kicks Bots – botnets Attacks – DarkReading.

Chuck may be inside your network….

…be aware!



Upstart crimeware wages turf war on mighty Zeus bot • The Register.

The SpyEye toolkit made its debut in December on Russian underground forums with a retail price of $500. It comes with usual configurable amenities such as a keylogger, credential stealers for credit cards, FTP and Pop3 email accounts, and a graphical control panel for managing large botnets.

Here is a deep analysis provided by Symantec.

If anyone know more (like malware hashes, or something else) please contact us, we are just investigating this new kind of trojans.