1. /
  2. Security Response/
  3. W32.Qakbot

W32.Qakbot

Risk Level 2: Low

Discovered:
May 7, 2009
Updated:
August 10, 2012 3:14:11 PM
Also Known As:
BKDR_QAKBOT.AF [Trend], Win32/Qakbot [Computer Associates], W32/QakBot [Sophos], W32/Akbot [McAfee], Trojan-PSW.Win32.Qbot.mk [Kaspersky]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:
CVE-2007-0015, CVE-2007-4673
W32.Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence.


Infection

W32.Qakbot spreads by exploiting vulnerabilities when a user visits certain Web pages. Exploit code hosted at these remote locations downloads the threat on to the compromised computer. Many of the infections are aided by users unwittingly clicking on malicious links. As more and more threats make use of the Web to spread, the clearer it becomes that Every Click Matters.

The worm also spreads through network shares by copying itself to shared folders when instructed to by a remote attacker. It also copies itself to removable drives.


Functionality
While W32.Qakbot has multiple capabilities, its ultimate goal is clearly theft of information. Identification theft is big business in the underground world of cybercrime and the more data a threat can steal, the bigger the profit that can be made. W32.Qakbot is capable of gathering a number of different kinds of information, including the following confidential information:
  • Authentication cookies, including Flash cookies
  • DNS, IP, hostname details
  • OS and system information
  • Geographic and browser version information
  • Keystrokes including login information
  • Login details for FTP, IRC, POP3 email, and IMAP email
  • Outlook account information
  • Private keys from system certificates
  • Login credentials for certain websites
  • URLs visited

Cybercrime is big business, and it is real crime. The U.S. Dept. of Treasury reports that cybercrime has surpassed illegal drug trafficking as a criminal money maker, with one in five people becoming a victim. With the profits often in the millions of dollars, it takes very little effort for a cybercriminal to set up an operation, steal identities and begin selling. Just a small glimpse of what is possible -- or, say, an Introduction to the Black Market -- can give the average internet user an idea of the insidious nature of cybercrime.

There is a funny credit card television ad that features barbarians running around using the credit card and the tag-line is "What's in your wallet?" You can almost hear the cybercriminals asking themselves, "What’s on your computer?" If you have a computer, you're at risk, which means that assessing your level of risk is always a good idea.

Once stolen, login details, credentials from particular websites, passwords, financial information and other personally identifiable information can be sold on the black market. Ultimately, that ends in identity theft. The most often used technique, keylogging, attempts to provide as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the Black Market Keylogging profit.


White paper: W32.Qakbot in Detail
Symantec have published a white paper probing deeper into the worm to reveal its inner workings. To find out more about this worm, download a copy of the paper: W32.Qakbot in Detail.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.





PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.




SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures

W32.Qakbot


Antivirus (heuristic/generic)



Browser protection

Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


Intrusion Prevention System


Symantec Endpoint Protection – Application and Device Control
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.

This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat on your network, please download the policy by right-clicking the link, choosing your browser's "save as" option, and saving the file as "W32.Qakbot.dat".

To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to enable active protection.

For more information on ADC and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).

Note: The ADC policies developed by Security Response are recommended for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.

Antivirus Protection Dates

  • Initial Rapid Release version May 7, 2009 revision 001
  • Latest Rapid Release version June 24, 2014 revision 006
  • Initial Daily Certified version May 7, 2009 revision 003
  • Latest Daily Certified version May 3, 2014 revision 001
  • Initial Weekly Certified release date May 13, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: 1000+
  • Number of Sites: 10+
  • Geographical Distribution: Medium
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: High
  • Payload: Opens a back door on the computer.
    Downloads files on to the computer.
  • Modifies Files: Modifies access permissions to certain files/folders.
  • Releases Confidential Info: Steals information from the computer.

Distribution

  • Distribution Level: Medium
  • Shared Drives: Spreads through network shares.
Writeup By: Angela Thigpen and Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver