Qakbot, Qbot

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVER ALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
Low
Medium
High
Critical

  • Threat Type:
    Worm

  • Destructiveness:
    No

  • Encrypted:
     

  • In the wild:
    Yes

  OVERVIEW

INFECTION CHANNEL: Propagates via removable drives, Propagates via software vulnerabilities, Downloaded from the Internet

QAKBOT malware are worms,Trojans, and backdoors that are known to spread through network shares, software vulnerabilities, or removable drives. Some of its variants may be downloaded from malicious sites serving malware. QAKBOT was first spotted in 2007.

Its main function is to steal information. The information it steals are primarily related to finance-based institutions. It also steals system information, user names and passwords saved in cookies and browsers, and credentials used in instant messaging applications. Its information theft routine is done via monitoring browsing activities and monitoring of files related to browsers and instant messaging programs.

Apart from its information theft routines, some QAKBOT variants may connect to particular Internet Relay Chat (IRC) servers to receive and perform commands on affected computers. When running on a system, some QAKBOT malware are capable of blocking access to antivirus-related sites. It may also hide its components as part of its rootkit capabilities.

  TECHNICAL DETAILS

Memory resident: Yes
PAYLOAD: Connects to URLs/IPs, Compromises system security, Steals information

Installation

This worm drops the following files:

  • %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.dll
  • %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name1}.dll
  • %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name2}.dll
  • %System Root%\Documents and Settings\All Users\Microsoft\{random folder name}\{random file name}.dll
  • %System Root%\Documents and Settings\All Users\Microsoft\{random folder name}\{random file name1}.dll

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

  • %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe
  • %System Root%\Documents and Settings\All Users\Microsoft\{random folder name}\{random file name}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}
  • %System Root%\Documents and Settings\All Users\Microsoft\{random folder name}
  • %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\u

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%System Root%\Documents and Settings\All Users\Microsoft\{random characters}\{random characters}.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{legitimate application} = ""%System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe" /c {path and file name of legitimate application}"

(Note: The default value data of the said registry entry is {path and file name of legitimate application}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{legitimate application} = ""%System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe" /c {path and file name of legitimate application}"

(Note: The default value data of the said registry entry is {path and file name of legitimate application}.)

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.134.75
  • {BLOCKED}v.co.in
  • {BLOCKED}1.in
  • {BLOCKED}omo.info
  • {BLOCKED}1.in
  • {BLOCKED}2.in
  • ftp.{BLOCKED}formation.com
  • ftp.{BLOCKED}central.com
  • {BLOCKED}ver.com.ua
  • s046.{BLOCKED}xmanager.com
  • {BLOCKED}te.info
  • {BLOCKED}3.com.ua