1. /
  2. Security Response/
  3. W32.Qakbot

W32.Qakbot

Risk Level 2: Low

Discovered:
May 7, 2009
Updated:
August 10, 2012 3:14:11 PM
Also Known As:
BKDR_QAKBOT.AF [Trend], Win32/Qakbot [Computer Associates], W32/QakBot [Sophos], W32/Akbot [McAfee], Trojan-PSW.Win32.Qbot.mk [Kaspersky]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:
CVE-2007-0015, CVE-2007-4673
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software

1.3 Address blocking

1.4 Network port blocking

1.5 Network shares

2. Infection method

2.1 Websites

2.2 Network shares
2.3 Removable drives
3. Functionality
3.1 System modifications

3.2 Network activity

3.3 Additional functionality

4. Additional information




1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Users are advised not to open or execute files from unknown sources. It is also advisable to disable the execution of JavaScript in client applications to prevent execution of unwanted scripts.

Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.


1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by vendors.

This threat is known to be spread by exploiting certain vulnerabilities. Installation of patches for the following vulnerabilities will reduce the risk to your computer.

1.3 Address blocking
Block access to the following addresses using a firewall or router, or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:
  • 66.219.30.219
  • 78.129.207.47
  • abc-hobbies.com
  • acadubai.org
  • adserv.co.in
  • alfamex.com
  • b.nt002.cn
  • b.rtbn2.cn
  • b.tn001.cn
  • bckp01.in
  • boogiewoogiekid.com
  • buldrip.com
  • cdcdcdcdc212121cdsfdfd.com
  • cdcdcdcdc2121cdsfdfd.com
  • citypromo.info
  • du01.in
  • du02.in
  • ftp.acmeinformation.com
  • ftp.hunterscentral.com
  • ftp.periodicopuruvida.com
  • gator862.hostgator.com
  • googcnt.co.in
  • hostrmeter.com
  • inetrate.info
  • ip-adress.com
  • ipaddressworld.com
  • laststat.co.in
  • nt002.cn
  • nt010.cn
  • nt101.cn
  • nt13.co.in
  • nt16.in
  • nt17.in
  • nt20.in
  • nt202.cn
  • ppcimg.in
  • prstat.in
  • redserver.com.ua
  • s046.panelboxmanager.com
  • saper.in
  • spotrate.info
  • successful-marketers.com
  • swallowthewhistle.com
  • up002.cn
  • up003.com.ua
  • up004.cn
  • up01.co.in
  • up02.co.in
  • up03.in
  • whitepix.info
  • yimg.com.ua
  • zenpayday.com
  • zurnretail.com

1.4 Network port blocking
Some of the vulnerabilities used to compromise computers have been known to use a TCP port between 16666 and 16669 to spread. Blocking this port range at the network perimeter may help to reduce the risk to your computer.


1.5 Network shares
This threat is also known to spread inside networks by using shares. The following steps can help protect your computer against this threat:

  • Users are advised to ensure that all network shares are only opened when they are necessary for use.
  • Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital and lowercase characters, along with one or more symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.
  • Disable the autorun feature to prevent dropped files from running automatically when a network drive is opened.
  • For more information about the autorun feature and how to disable it, please review this blog entry.



2. INFECTION METHOD
This threat primarily spreads using drive by downloads through deliberately created and hacked websites as well as by copying itself to network shares.


2.1 Websites
The following addresses have been known to host or facilitate this threat family:
  • 66.219.30.219
  • 78.129.207.47
  • abc-hobbies.com
  • acadubai.org
  • adserv.co.in
  • alfamex.com
  • b.nt002.cn
  • b.rtbn2.cn
  • b.tn001.cn
  • bckp01.in
  • boogiewoogiekid.com
  • buldrip.com
  • cdcdcdcdc212121cdsfdfd.com
  • cdcdcdcdc2121cdsfdfd.com
  • citypromo.info
  • du01.in
  • du02.in
  • ftp.acmeinformation.com
  • ftp.hunterscentral.com
  • ftp.periodicopuruvida.com
  • gator862.hostgator.com
  • googcnt.co.in
  • hostrmeter.com
  • inetrate.info
  • ip-adress.com
  • ipaddressworld.com
  • laststat.co.in
  • nt002.cn
  • nt010.cn
  • nt101.cn
  • nt13.co.in
  • nt16.in
  • nt17.in
  • nt20.in
  • nt202.cn
  • ppcimg.in
  • prstat.in
  • redserver.com.ua
  • s046.panelboxmanager.com
  • saper.in
  • spotrate.info
  • successful-marketers.com
  • swallowthewhistle.com
  • up002.cn
  • up003.com.ua
  • up004.cn
  • up01.co.in
  • up02.co.in
  • up03.in
  • whitepix.info
  • yimg.com.ua
  • zenpayday.com
  • zurnretail.com

The following vulnerabilities have been used to spread this threat:

A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent.


2.2 Network shares
W32.Qakbot may receive a command from the command and control server to begin spreading through network shares.

Before copying any files, the threat enumerates shared folders and checks whether the share name and user name are listed in the following file:
%CurrentFolder%\nbl_[USERNAME].txt.

If they are listed in the file, it will skip that network share. If they are not listed, the threat checks if the files %CurrentFolder%\_qbot[RANDOM CHARACTERS] and %CurrentFolder%\q1.dll exist on the remote machine. If not, it downloads them.

It then copies q1.dll to either of the following locations:
  • [REMOTE COMPUTER]\C$\windows\q1.dll
  • [REMOTE COMPUTER]\ADMIN$\q1.dll

It also copies _qbot[RANDOM CHARACTERS] to either of the following locations:
  • [REMOTE COMPUTER]\C$\windows\_qbot[RANDOM CHARACTERS].exe
  • [REMOTE COMPUTER]\ADMIN$\_qbot [RANDOM CHARACTERS].exe

After copying the files, it writes the share name and user name to the file %CurrentFolder%\nbl_[USERNAME].txt on the local machine. This allows the worm to maintain a record of computers that have been infected.


2.3 Removable drives
Qakbot copies itself to removable drives as a random file name and also copies an autorun.inf file to the drive so that it runs every time the drive is inserted into a computer.


3. FUNCTIONALITY

W32.Qakbot makes changes to the system by adding files and a registry entry. It also injects itself into iexplore.exe or explorer.exe, which creates the illusion that all subsequent actions undertaken by the threat appear to be the work of these legitimate Windows processes. Some of these actions include avoiding detection and evading the firewall. Since both processes are on the firewall's allowed list, this threat can use these processes to send any gathered information to the remote attacker without raising any suspicions.



It steals confidential information and connects to a remote server to check for internet connectivity.

The threat contacts a remote command and control server, opening a back door, to receive additional commands. It attempts to copy itself to shared network folders after it has received the command to enumerate network shares. It also hooks msadvapi.dll to hide files and outbound network connections.

The worm can update itself or download and execute additional files as part of its main functionality or through additional commands received from the remote attacker. These additional files may include configuration files. The configuration files include a list of FTP sites where the text file containing the stolen information is to be uploaded, as well as the user name and password for each FTP site.




3.1 System modifications
The following side effects may be observed on computers compromised by members of threat family.

Files/folders created
  • %System%\sconnect.js
  • %Temp%\drwatson.exe
  • %Temp%\msvcrt81.dll
  • C:\Documents And Settings\All Users\_qbothome\updates.cb
  • C:\Documents And Settings\All Users\_qbothome\_installed
  • C:\Documents And Settings\All Users\_qbothome\_qbot.dll
  • C:\Documents And Settings\All Users\_qbothome\_qbotinj.exe
  • C:\Documents And Settings\All Users\_qbothome\_qbotnti.exe
  • C:\Documents And Settings\All Users\_qbothome\crontab.cb
  • C:\Documents And Settings\All Users\_qbothome\msadvapi32.dll
  • C:\Documents And Settings\All Users\_qbothome\nbl_[USERNAME].txt
  • C:\Documents And Settings\All Users\_qbothome\q1.dll
  • C:\Documents And Settings\All Users\_qbothome\qbot.cb
  • C:\Documents And Settings\All Users\_qbothome\uninstall.tmp
  • C:\windows\_qbot[RANDOM CHARACTERS].exe

Files/folders deleted
None

Files/folders modified
The worm modifies the discretionary access control list (DACL) of the following folder:
%ProgramFiles%\Common Files\Symantec Shared

Registry subkeys/entries created
The worm creates the following registry entry so that it runs when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[LEGITIMATE APPLICATION NAME]" = "\"C:\Documents And Settings\All Users\_qbothome\_qbotinj.exe\" \"C:\Documents And Settings\All Users\_qbothome\_qbot.dll\" /c [PATH TO LEGITIMATE APPLICATION]"

Note: [LEGITIMATE APPLICATION NAME] is a legitimate program that already exists on the computer and is chosen randomly by the threat.

Registry subkeys/entries deleted
None

Registry subkeys/entries modified

None

Processes
  • explorer.exe (Injects into process)
  • iexplorer.exe (Injects into process)


3.2 Network activity

The threat may perform the following network activities:

Downloading
This threat has the capability to download additional files. It may also download updates to itself. Upon successful download of a file named sconnect.js, W32.Qakbot adds a scheduled task to the compromised computer that executes sconnect.js as %Windir%\Tasks\[RANDOM NAME].job . The task itself is visible in the scheduled tasks window and is set to run every four days, despite the fact that the task actually renews itself every five hours.

The worm may also download command and configuration files as well as additional executables. The configuration files may contain the status of the threat such as install time, run class (e.g. user, admin, FTP sites) and several other pieces of information.

Uploading
This threat may upload system and confidential information collected from the compromised computer to the command and control server. It also regularly gathers and sends out the geographical location and browser information of the compromised computer to a predetermined remote location.



Other network activity
The threat may open a back door by connecting to the command and control server through FTP or IRC, the locations of which are frequently changed when the worm downloads new configuration files.




3.3 Additional functionality
The file _qbot.dll is responsible for collecting certain information and uploading that stolen data to FTP servers. It can gather the following confidential information from the compromised computer:
  • Authentication cookies including Flash cookies
  • DNS details, IP address, hostname
  • General Operating System information
  • Geographic and browser version information
  • Keystrokes, including login information
  • Login details for FTP, IRC, POP3 email, and IMAP email
  • Outlook account information
  • Private keys from system certificates
  • Login credentials for certain websites
  • URLs visited

The threat uses several techniques to collect private keys from the system certificates contained on the compromised computer. First, it replaces all certificate-related dialog boxes so that the OK button is automatically pushed as soon as the dialog is created. As a result, the user will never see the OK button. It also prevents all message boxes from being displayed. Second, it hooks password input windows in order to steal any characters entered. Third, it patches the CPExportKey API to bypass security checks, and enumerates the private keys.

The worm attempts to steal not only regular browser session cookies, but also Flash cookies. Users should be aware that, unlike traditional browser cookies, Flash cookies are not controlled through the cookie privacy controls in the Web browser. This means they cannot be cleared or deleted in the simple manner that normal tracking cookies are removed.

The URLs visited by the user are logged and sent to the remote attacker. Often, this information contains details of the Internet habits of the user and is used to create targeted advertisements, which form another revenue stream for the cybercriminal. The specialized data can also be sold to companies who fund genuine advertising.

The worm also checks the following URLs related to Internet banking websites and attempts to steal bank account information:
  • cashproonline.bankofamerica.com
  • singlepoint.usbank.com
  • netconnect.bokf.com
  • business-eb.ibanking-services.com
  • cashproonline.bankofamerica.com
  • cashplus
  • ebanking-services.com
  • cashman
  • web-cashplus.com
  • treas-mgt.frostbank.com
  • business-eb.ibanking-services.com
  • treasury.pncbank.com
  • access.jpmorgan.com
  • ktt.key.com
  • onlineserv/CM
  • premierview.membersunited.org
  • directline4biz.com
  • onb.webcashmgmt.com
  • tmconnectweb
  • moneymanagergps.com
  • ibc.klikbca.com
  • directpay.wellsfargo.com
  • express.53.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • cpw-achweb.bankofamerica.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com
  • cmserver

It checks for URLs containing the following strings that are security-related and may block access to the websites:
  • webroot
  • agnitum
  • ahnlab
  • arcabit
  • avast
  • avg
  • avira
  • avp
  • bitdefender
  • bit9
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • .eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • wilderssecurity
  • windowsupdate


4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Angela Thigpen and Eric Chien
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver