Endpoint Protection

Hi there, I hope this is the correct form, we are using the following Symantec Corporate Anti-Virus:
Symantec System Center
Symantec Corporation
Version: 10.1.5.5002

Anyways on Friday afternoon a bunch of users had emailed me letting me know their computers were not working for various reasons. Upon inspection I found that we had a massive outbreak of the W32.Qakbot worm/trojan. Most computers had this covertly installed and it was not being picked up via Symantec, then once I would navigate them to the Windows folder the files would be auto protect deleted by symantec. However several users have had the same files come back over and over again. It looked like the file had permissions on it from one of our Domain Admins so I removed him as a domain admin and scanned all our servers. It got auto deleted off the servers but still seems to be spreading? I have no idea how this is happening. I did run a new live update to get the most recent definitions, I was using May 12th, now Im using the 25th.

Does anyone have any advice? Does symantec not protect against this pesky thing?

Thanks!

W32.Qakbot [Symantec]
W32/Pinkslipbot [McAfee]
Mal/Qbot-B [Sophos]
Backdoor:Win32/Qakbot.gen!A [Microsoft]
Backdoor.Win32.Qakbot [Ikarus]
Win32/IRCBot.worm.variant [AhnLab]

If the files were connected to the domain admins account, it could be that the PC he uses is the source.
I suggest you investigate that first.

Look into the registry for this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[LEGITIMATE APPLICATION NAME]" = "\"C:\Documents And Settings\All Users\_qbothome\_qbotinj.exe\" \"C:\Documents And Settings\All Users\_qbothome\_qbot.dll\" /c [PATH TO LEGITIMATE APPLICATION]"

It could also be present in the HKEY_CURRENT_USER of all the infected users.

Good luck!

I forgot to mention, it could also make a folder
C:\Documents And Settings\All Users\_qbothome
where it stores it's files.

Yeah I've been able to 'remove' it a few times and it keeps coming back to users PCs. I get the registry file, all the user docs, and the exes in the windows folder....I guess I will go do this to everyone's PCs and see if it comes back.

Still curious how it ran on each computer to install the reg keys, etc.

You know a file installed on a compromised machine was owned by a domain admin account and you don't know how it got on every machine?  this thing infects machines by network shares.  I'm guessing you have the admin$ and c$ shares on all your workstations and a compromised domain admin account.

By default windows stores a local password hash for every cached login.  Once a domain admin account is compromised you have to assume that ALL passwords are now known on your entire network.  It is an intensive but trivial process to reverse the hash stored on the local workstation.  This worm also monitors keystrokes, which is even easier than reversing the hashes.  It is not a surprise everything keeps coming back, its exactly what I would expect.

One by one, clean your domain admin workstations and your DCs.  Now reset ALL domain admin account passwords.  Repeat this same process, working down your privilaged accounts + groups until you get to local workstations and users.  Do NOT login to any machine until you know it is clean with any domain admin or privilaged account.

I get the fact the domain admin account can place a file on any file share but wouldn't a computer need to execute that file for it to spread to that machine? IE: If I put alpha.exe in a shared folder it does nothing until it is executed correct? Or am I missing some big piece here?

Thanks for the response!!

you can run a file/app remotely using a number of different methods as long as the account you are using has privs on that machine.  I would assume that if this is doing what I think it is (and many IRC bots use common parts) that is what it is doing.

check out psexec.exe from MS for an example.  All you need is the normal admin$ share and shared pipes to be on and you can run whatever you want on any machine with a domain admin account.

The way I understand the malware, it writes itself to the registry. So whenever a user logs in, it automatically loads and no matter how many times, you delete the files created, it will still come back.

I usually map the OS drive and scan from a remote PC if this is the case. At least the user will need not log off and if possible.

Are uninfected PCs being affected by this? Or are they considered protected?

Well since our latest definitions update on the 25th it has caught the virus on each computer that has it. I disabled the domain admin account for the person whos permissions it was spreading under on Friday the 22nd. So computers seem to have been clean from spreading since then. I found out who it was spreading under by viewing the security permissions of the exe files it placed in the Windows folder.

@mchiasson: glad that you've solved this issue. Just a question. What were the definitions on your network before this? The SEP/SAV were protected by W32.Qakbot since May 7th and was protected since May 12 which is your last definitions before the update.

Here's the release dates from Symantec for W32.Qakbot :
Initial Rapid Release version May 7, 2009 revision 001
Latest Rapid Release version May 13, 2009 revision 037
Initial Daily Certified version May 7, 2009 revision 003
Latest Daily Certified version May 12, 2009 revision 039
Initial Weekly Certified release date May 13, 2009