Our IPS identified and blocked DNS lookups from Qakbot. However there is no other evidence that it was able to latch onto any system.
These articles do an excellent job providing information on how the trojan behaves and how to remove it. Using the information from this, we have been unable to find evidence of an installation.
https://www-secure.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i
http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii
The articles do note that Qakbot has an uninstall function. Since the initial DNS queries to find the C&C systems failed, I wonder if the bot unistalled itself.
We believe the DNS lookups came froma Citrix server, so with the user restrictions, the bot should not have been able to even install.
Does anyone have information on what Qakbot does if it can't find the C&C systems?
Thanks!