W32.Qakbot

1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
1.3 Address blocking
1.4 Network port blocking
1.5 Network shares
2. Infection method
2.1 Websites
2.2 Network shares
2.3 Removable drives
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Additional functionality
4. Additional information



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Users are advised not to open or execute files from unknown sources. It is also advisable to disable the execution of JavaScript in client applications to prevent execution of unwanted scripts.

Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.


1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by vendors.

This threat is known to be spread by exploiting certain vulnerabilities. Installation of patches for the following vulnerabilities will reduce the risk to your computer.

• Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514)
• Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462)
• Apple QuickTime for Windows Remote Code Execution Vulnerability (BID 25913)
• Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability (BID 21829)

1.3 Address blocking
Block access to the following addresses using a firewall or router, or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:

• 66.219.30.219
• 78.129.207.47
• abc-hobbies.com
• acadubai.org
• adserv.co.in
• alfamex.com
• b.nt002.cn
• b.rtbn2.cn
• b.tn001.cn
• bckp01.in
• boogiewoogiekid.com
• buldrip.com
• cdcdcdcdc212121cdsfdfd.com
• cdcdcdcdc2121cdsfdfd.com
• citypromo.info
• du01.in
• du02.in
• ftp.acmeinformation.com
• ftp.hunterscentral.com
• ftp.periodicopuruvida.com
• gator862.hostgator.com
• googcnt.co.in
  
• hostrmeter.com
• inetrate.info
• ip-adress.com
• ipaddressworld.com
• laststat.co.in
  
• nt002.cn
• nt010.cn
• nt101.cn
• nt13.co.in
• nt16.in
• nt17.in
• nt20.in
• nt202.cn
• ppcimg.in
  
• prstat.in
• redserver.com.ua
• s046.panelboxmanager.com
• saper.in
  
• spotrate.info
• successful-marketers.com
• swallowthewhistle.com
• up002.cn
• up003.com.ua
• up004.cn
• up01.co.in
• up02.co.in
• up03.in
• whitepix.info
• yimg.com.ua
• zenpayday.com
• zurnretail.com

1.4 Network port blocking
Some of the vulnerabilities used to compromise computers have been known to use a TCP port between 16666 and 16669 to spread. Blocking this port range at the network perimeter may help to reduce the risk to your computer.


1.5 Network shares
This threat is also known to spread inside networks by using shares. The following steps can help protect your computer against this threat:

• Users are advised to ensure that all network shares are only opened when they are necessary for use.
• Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital and lowercase characters, along with one or more symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.
• Disable the autorun feature to prevent dropped files from running automatically when a network drive is opened.
• For more information about the autorun feature and how to disable it, please review this blog entry.
  

2. INFECTION METHOD
This threat primarily spreads using drive by downloads through deliberately created and hacked websites as well as by copying itself to network shares.


2.1 Websites
The following addresses have been known to host or facilitate this threat family:

• 66.219.30.219
• 78.129.207.47
• abc-hobbies.com
• acadubai.org
• adserv.co.in
• alfamex.com
• b.nt002.cn
• b.rtbn2.cn
• b.tn001.cn
• bckp01.in
• boogiewoogiekid.com
• buldrip.com
• cdcdcdcdc212121cdsfdfd.com
• cdcdcdcdc2121cdsfdfd.com
• citypromo.info
• du01.in
• du02.in
• ftp.acmeinformation.com
• ftp.hunterscentral.com
• ftp.periodicopuruvida.com
• gator862.hostgator.com
• googcnt.co.in
  
• hostrmeter.com
• inetrate.info
• ip-adress.com
• ipaddressworld.com
• laststat.co.in
  
• nt002.cn
• nt010.cn
• nt101.cn
• nt13.co.in
• nt16.in
• nt17.in
• nt20.in
• nt202.cn
• ppcimg.in
  
• prstat.in
• redserver.com.ua
• s046.panelboxmanager.com
• saper.in
  
• spotrate.info
• successful-marketers.com
• swallowthewhistle.com
• up002.cn
• up003.com.ua
• up004.cn
• up01.co.in
• up02.co.in
• up03.in
• whitepix.info
• yimg.com.ua
• zenpayday.com
• zurnretail.com

The following vulnerabilities have been used to spread this threat:

• Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514)
• Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462)
• Apple QuickTime for Windows Remote Code Execution Vulnerability (BID 25913)
• Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability (BID 21829)

A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent.


2.2 Network shares
W32.Qakbot may receive a command from the command and control server to begin spreading through network shares.

Before copying any files, the threat enumerates shared folders and checks whether the share name and user name are listed in the following file:
%CurrentFolder%\nbl_[USERNAME].txt.

If they are listed in the file, it will skip that network share. If they are not listed, the threat checks if the files %CurrentFolder%\_qbot[RANDOM CHARACTERS] and %CurrentFolder%\q1.dll exist on the remote machine. If not, it downloads them.

It then copies q1.dll to either of the following locations:

• [REMOTE COMPUTER]\C$\windows\q1.dll
• [REMOTE COMPUTER]\ADMIN$\q1.dll

It also copies _qbot[RANDOM CHARACTERS] to either of the following locations:

• [REMOTE COMPUTER]\C$\windows\_qbot[RANDOM CHARACTERS].exe
• [REMOTE COMPUTER]\ADMIN$\_qbot [RANDOM CHARACTERS].exe

After copying the files, it writes the share name and user name to the file %CurrentFolder%\nbl_[USERNAME].txt on the local machine. This allows the worm to maintain a record of computers that have been infected.


2.3 Removable drives
Qakbot copies itself to removable drives as a random file name and also copies an autorun.inf file to the drive so that it runs every time the drive is inserted into a computer.


3. FUNCTIONALITY
W32.Qakbot makes changes to the system by adding files and a registry entry. It also injects itself into iexplore.exe or explorer.exe, which creates the illusion that all subsequent actions undertaken by the threat appear to be the work of these legitimate Windows processes. Some of these actions include avoiding detection and evading the firewall. Since both processes are on the firewall's allowed list, this threat can use these processes to send any gathered information to the remote attacker without raising any suspicions.



It steals confidential information and connects to a remote server to check for internet connectivity.

The threat contacts a remote command and control server, opening a back door, to receive additional commands. It attempts to copy itself to shared network folders after it has received the command to enumerate network shares. It also hooks msadvapi.dll to hide files and outbound network connections.

The worm can update itself or download and execute additional files as part of its main functionality or through additional commands received from the remote attacker. These additional files may include configuration files. The configuration files include a list of FTP sites where the text file containing the stolen information is to be uploaded, as well as the user name and password for each FTP site.




3.1 System modifications
The following side effects may be observed on computers compromised by members of threat family.

Files/folders created

• %System%\sconnect.js
• %Temp%\drwatson.exe
• %Temp%\msvcrt81.dll
• C:\Documents And Settings\All Users\_qbothome\updates.cb
• C:\Documents And Settings\All Users\_qbothome\_installed
• C:\Documents And Settings\All Users\_qbothome\_qbot.dll
• C:\Documents And Settings\All Users\_qbothome\_qbotinj.exe
• C:\Documents And Settings\All Users\_qbothome\_qbotnti.exe
• C:\Documents And Settings\All Users\_qbothome\crontab.cb
• C:\Documents And Settings\All Users\_qbothome\msadvapi32.dll
• C:\Documents And Settings\All Users\_qbothome\nbl_[USERNAME].txt
• C:\Documents And Settings\All Users\_qbothome\q1.dll
• C:\Documents And Settings\All Users\_qbothome\qbot.cb
• C:\Documents And Settings\All Users\_qbothome\uninstall.tmp
• C:\windows\_qbot[RANDOM CHARACTERS].exe

Files/folders deleted
None

Files/folders modified
The worm modifies the discretionary access control list (DACL) of the following folder:
%ProgramFiles%\Common Files\Symantec Shared

Registry subkeys/entries created
The worm creates the following registry entry so that it runs when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[LEGITIMATE APPLICATION NAME]" = "\"C:\Documents And Settings\All Users\_qbothome\_qbotinj.exe\" \"C:\Documents And Settings\All Users\_qbothome\_qbot.dll\" /c [PATH TO LEGITIMATE APPLICATION]"

Note: [LEGITIMATE APPLICATION NAME] is a legitimate program that already exists on the computer and is chosen randomly by the threat.

Registry subkeys/entries deleted
None

Registry subkeys/entries modified
None

Processes

• explorer.exe (Injects into process)
• iexplorer.exe (Injects into process)

3.2 Network activity
The threat may perform the following network activities:

Downloading
This threat has the capability to download additional files. It may also download updates to itself. Upon successful download of a file named sconnect.js, W32.Qakbot adds a scheduled task to the compromised computer that executes sconnect.js as %Windir%\Tasks\[RANDOM NAME].job . The task itself is visible in the scheduled tasks window and is set to run every four days, despite the fact that the task actually renews itself every five hours.

The worm may also download command and configuration files as well as additional executables. The configuration files may contain the status of the threat such as install time, run class (e.g. user, admin, FTP sites) and several other pieces of information.

Uploading
This threat may upload system and confidential information collected from the compromised computer to the command and control server. It also regularly gathers and sends out the geographical location and browser information of the compromised computer to a predetermined remote location.



Other network activity
The threat may open a back door by connecting to the command and control server through FTP or IRC, the locations of which are frequently changed when the worm downloads new configuration files.




3.3 Additional functionality
The file _qbot.dll is responsible for collecting certain information and uploading that stolen data to FTP servers. It can gather the following confidential information from the compromised computer:

• Authentication cookies including Flash cookies
• DNS details, IP address, hostname
• General Operating System information
• Geographic and browser version information
• Keystrokes, including login information
• Login details for FTP, IRC, POP3 email, and IMAP email
• Outlook account information
• Private keys from system certificates
• Login credentials for certain websites
• URLs visited
  

The threat uses several techniques to collect private keys from the system certificates contained on the compromised computer. First, it replaces all certificate-related dialog boxes so that the OK button is automatically pushed as soon as the dialog is created. As a result, the user will never see the OK button. It also prevents all message boxes from being displayed. Second, it hooks password input windows in order to steal any characters entered. Third, it patches the CPExportKey API to bypass security checks, and enumerates the private keys.

The worm attempts to steal not only regular browser session cookies, but also Flash cookies. Users should be aware that, unlike traditional browser cookies, Flash cookies are not controlled through the cookie privacy controls in the Web browser. This means they cannot be cleared or deleted in the simple manner that normal tracking cookies are removed.

The URLs visited by the user are logged and sent to the remote attacker. Often, this information contains details of the Internet habits of the user and is used to create targeted advertisements, which form another revenue stream for the cybercriminal. The specialized data can also be sold to companies who fund genuine advertising.

The worm also checks the following URLs related to Internet banking websites and attempts to steal bank account information:

• cashproonline.bankofamerica.com
• singlepoint.usbank.com
• netconnect.bokf.com
• business-eb.ibanking-services.com
• cashproonline.bankofamerica.com
• cashplus
• ebanking-services.com
• cashman
• web-cashplus.com
• treas-mgt.frostbank.com
• business-eb.ibanking-services.com
• treasury.pncbank.com
• access.jpmorgan.com
• ktt.key.com
• onlineserv/CM
• premierview.membersunited.org
• directline4biz.com
• onb.webcashmgmt.com
• tmconnectweb
• moneymanagergps.com
• ibc.klikbca.com
• directpay.wellsfargo.com
• express.53.com
• itreasury.regions.com
• itreasurypr.regions.com
• cpw-achweb.bankofamerica.com
• businessaccess.citibank.citigroup.com
• businessonline.huntington.com
• cmserver

It checks for URLs containing the following strings that are security-related and may block access to the websites:

• webroot
• agnitum
• ahnlab
• arcabit
• avast
• avg
• avira
• avp
• bitdefender
• bit9
• castlecops
• centralcommand
• clamav
• comodo
• computerassociates
• cpsecure
• defender
• drweb
• emsisoft
• esafe
• .eset
• etrust
• ewido
• fortinet
• f-prot
• f-secure
• gdata
• grisoft
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• malware
• mcafee
• networkassociates
• nod32
• norman
• norton
• panda
• pctools
• prevx
• quickheal
• rising
• rootkit
• securecomputing
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• threatexpert
• trendmicro
• virus
• wilderssecurity
• windowsupdate

4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

• Blog entries on W32.Qabot
• W32.Qakbot in detail (White paper - May 2011)
  
• Cyber Crime has Surpassed Illegal Drug Trafficking as a Criminal Moneymaker; 1 in 5 will become a Victim (Symantec Press Release – September 10th, 2009)
• The Black Market – Where Identities are Bought and Sold (Symantec Video – September 9th, 2009)
• The Threat Factory – Keylogging from the Victim and Criminal’s Perspective (Symantec Video – September 9th, 2009)
• AutoPlay Worms (Blog – December 3rd, 2008)
• The Cybercrime Blackmarket (Symantec Cybercrime Article)
• Every Click Matters (Norton 2010 Microsite)
• Norton Online Risk Calculator (Norton 2010 Microsite)