Endpoint Protection

 View Only

  • 1.  Qakbot behavior if initial DNS lookups fail??

    Posted May 14, 2010 02:51 PM
    Our IPS identified and blocked DNS lookups from Qakbot. However there is no other evidence that it was able to latch onto any system.

    These articles do an excellent job providing information on how the trojan behaves and how to remove it. Using the information from this, we have been unable to find evidence of an installation.
    https://www-secure.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i
    http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii

    The articles do note that Qakbot has an uninstall function. Since the initial DNS queries to find the C&C systems failed, I wonder if the bot unistalled itself.

    We believe the DNS lookups came froma Citrix server, so with the user restrictions, the bot should not have been able to even install.

    Does anyone have information on what Qakbot does if it can't find the C&C systems?

    Thanks!


  • 2.  RE: Qakbot behavior if initial DNS lookups fail??

    Posted Dec 20, 2010 09:28 AM

    Did the SEP IPS catch it? If so, no further action is needed since it was blocked.

    Typically, when malware can't find it's C&C, it will either lie dormant or use the instructions it already has to perform its malicious activity.



  • 3.  RE: Qakbot behavior if initial DNS lookups fail??

    Posted Dec 20, 2010 10:53 AM

    Please have a look on this article on Quakbot details:

    http://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99

    Did it happen once only? Do you have in your security logs any other sign of this threat?

    If you can confirm the machine the request came from, you could follow this steps:

    1. Isolate the machine from your production network.
    2. Please download Rapid Releases definitions (http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr), install them and launch full scan.
    3. If it does not help, use Symantec Endpoint Recovery Tool (LiveCD) following the instructions on:
    How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions
    http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US
    4. Use Symantec endpoint Protection Support Tool with Power Eraser (eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect) following the article:
    Support Tool with Power Eraser Tool included
    http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US
    5. Check the loadpoints on your machine:
    How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files
    http://www.symantec.com/business/support/index?page=content&id=TECH141402
    6. If you manage to identify infected files and thay are not detected by SEP, please submit the files using this link:
    http://www.symantec.com/business/security_response/submitsamples.jsp
    They will be verified and new definitions will be created.