Discovered: May 07, 2009
Updated: August 10, 2012 3:14:11 PM
Also Known As: BKDR_QAKBOT.AF [Trend], Win32/Qakbot [Computer Associates], W32/QakBot [Sophos], W32/Akbot [McAfee], Trojan-PSW.Win32.Qbot.mk [Kaspersky]
Type: Worm
Infection Length: Varies
Systems Affected: Windows
CVE References: CVE-2007-4673 | CVE-2007-0015

W32.Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence.


Infection

W32.Qakbot spreads by exploiting vulnerabilities when a user visits certain Web pages. Exploit code hosted at these remote locations downloads the threat on to the compromised computer. Many of the infections are aided by users unwittingly clicking on malicious links. As more and more threats make use of the Web to spread, the clearer it becomes that Every Click Matters .

The worm also spreads through network shares by copying itself to shared folders when instructed to by a remote attacker. It also copies itself to removable drives.


Functionality
While W32.Qakbot has multiple capabilities, its ultimate goal is clearly theft of information. Identification theft is big business in the underground world of cybercrime and the more data a threat can steal, the bigger the profit that can be made. W32.Qakbot is capable of gathering a number of different kinds of information, including the following confidential information:

  • Authentication cookies, including Flash cookies
  • DNS, IP, hostname details
  • OS and system information
  • Geographic and browser version information
  • Keystrokes including login information
  • Login details for FTP, IRC, POP3 email, and IMAP email
  • Outlook account information
  • Private keys from system certificates
  • Login credentials for certain websites
  • URLs visited

Cybercrime is big business , and it is real crime. The U.S. Dept. of Treasury reports that cybercrime has surpassed illegal drug trafficking as a criminal money maker, with one in five people becoming a victim. With the profits often in the millions of dollars, it takes very little effort for a cybercriminal to set up an operation, steal identities and begin selling. Just a small glimpse of what is possible -- or, say, an Introduction to the Black Market -- can give the average internet user an idea of the insidious nature of cybercrime.

There is a funny credit card television ad that features barbarians running around using the credit card and the tag-line is "What's in your wallet?" You can almost hear the cybercriminals asking themselves, "What’s on your computer?" If you have a computer, you're at risk , which means that assessing your level of risk is always a good idea.

Once stolen, login details, credentials from particular websites, passwords, financial information and other personally identifiable information can be sold on the black market. Ultimately, that ends in identity theft. The most often used technique, keylogging, attempts to provide as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the Black Market Keylogging profit.


White paper: W32.Qakbot in Detail
Symantec have published a white paper probing deeper into the worm to reveal its inner workings. To find out more about this worm, download a copy of the paper: W32.Qakbot in Detail .



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.





PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.




SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures

W32.Qakbot


Antivirus (heuristic/generic)



Browser protection

Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


Intrusion Prevention System


Symantec Endpoint Protection – Application and Device Control
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.

This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat on your network, please download the policy by right-clicking the link, choosing your browser's "save as" option, and saving the file as "W32.Qakbot.dat".

To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to enable active protection.

For more information on ADC and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).

Note: The ADC policies developed by Security Response are recommended for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.

Antivirus Protection Dates

  • Initial Rapid Release version May 07, 2009 revision 001
  • Latest Rapid Release version September 19, 2018 revision 025
  • Initial Daily Certified version May 07, 2009 revision 003
  • Latest Daily Certified version September 20, 2018 revision 001
  • Initial Weekly Certified release date May 13, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Angela Thigpen and Eric Chien

Discovered: May 07, 2009
Updated: August 10, 2012 3:14:11 PM
Also Known As: BKDR_QAKBOT.AF [Trend], Win32/Qakbot [Computer Associates], W32/QakBot [Sophos], W32/Akbot [McAfee], Trojan-PSW.Win32.Qbot.mk [Kaspersky]
Type: Worm
Infection Length: Varies
Systems Affected: Windows
CVE References: CVE-2007-4673 | CVE-2007-0015

1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software

1.3 Address blocking

1.4 Network port blocking

1.5 Network shares

2. Infection method

2.1 Websites

2.2 Network shares
2.3 Removable drives
3. Functionality
3.1 System modifications

3.2 Network activity

3.3 Additional functionality

4. Additional information




1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Users are advised not to open or execute files from unknown sources. It is also advisable to disable the execution of JavaScript in client applications to prevent execution of unwanted scripts.

Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.


1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by vendors.

This threat is known to be spread by exploiting certain vulnerabilities. Installation of patches for the following vulnerabilities will reduce the risk to your computer.


1.3 Address blocking
Block access to the following addresses using a firewall or router, or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:
  • 66.219.30.219
  • 78.129.207.47
  • abc-hobbies.com
  • acadubai.org
  • adserv.co.in
  • alfamex.com
  • b.nt002.cn
  • b.rtbn2.cn
  • b.tn001.cn
  • bckp01.in
  • boogiewoogiekid.com
  • buldrip.com
  • cdcdcdcdc212121cdsfdfd.com
  • cdcdcdcdc2121cdsfdfd.com
  • citypromo.info
  • du01.in
  • du02.in
  • ftp.acmeinformation.com
  • ftp.hunterscentral.com
  • ftp.periodicopuruvida.com
  • gator862.hostgator.com
  • googcnt.co.in
  • hostrmeter.com
  • inetrate.info
  • ip-adress.com
  • ipaddressworld.com
  • laststat.co.in
  • nt002.cn
  • nt010.cn
  • nt101.cn
  • nt13.co.in
  • nt16.in
  • nt17.in
  • nt20.in
  • nt202.cn
  • ppcimg.in
  • prstat.in
  • redserver.com.ua
  • s046.panelboxmanager.com
  • saper.in
  • spotrate.info
  • successful-marketers.com
  • swallowthewhistle.com
  • up002.cn
  • up003.com.ua
  • up004.cn
  • up01.co.in
  • up02.co.in
  • up03.in
  • whitepix.info
  • yimg.com.ua
  • zenpayday.com
  • zurnretail.com

1.4 Network port blocking
Some of the vulnerabilities used to compromise computers have been known to use a TCP port between 16666 and 16669 to spread. Blocking this port range at the network perimeter may help to reduce the risk to your computer.


1.5 Network shares
This threat is also known to spread inside networks by using shares. The following steps can help protect your computer against this threat:

  • Users are advised to ensure that all network shares are only opened when they are necessary for use.
  • Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital and lowercase characters, along with one or more symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.
  • Disable the autorun feature to prevent dropped files from running automatically when a network drive is opened.
  • For more information about the autorun feature and how to disable it, please review this blog entry.



2. INFECTION METHOD
This threat primarily spreads using drive by downloads through deliberately created and hacked websites as well as by copying itself to network shares.


2.1 Websites
The following addresses have been known to host or facilitate this threat family:
  • 66.219.30.219
  • 78.129.207.47
  • abc-hobbies.com
  • acadubai.org
  • adserv.co.in
  • alfamex.com
  • b.nt002.cn
  • b.rtbn2.cn
  • b.tn001.cn
  • bckp01.in
  • boogiewoogiekid.com
  • buldrip.com
  • cdcdcdcdc212121cdsfdfd.com
  • cdcdcdcdc2121cdsfdfd.com
  • citypromo.info
  • du01.in
  • du02.in
  • ftp.acmeinformation.com
  • ftp.hunterscentral.com
  • ftp.periodicopuruvida.com
  • gator862.hostgator.com
  • googcnt.co.in
  • hostrmeter.com
  • inetrate.info
  • ip-adress.com
  • ipaddressworld.com
  • laststat.co.in
  • nt002.cn
  • nt010.cn
  • nt101.cn
  • nt13.co.in
  • nt16.in
  • nt17.in
  • nt20.in
  • nt202.cn
  • ppcimg.in
  • prstat.in
  • redserver.com.ua
  • s046.panelboxmanager.com
  • saper.in
  • spotrate.info
  • successful-marketers.com
  • swallowthewhistle.com
  • up002.cn
  • up003.com.ua
  • up004.cn
  • up01.co.in
  • up02.co.in
  • up03.in
  • whitepix.info
  • yimg.com.ua
  • zenpayday.com
  • zurnretail.com

The following vulnerabilities have been used to spread this threat:

A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent.


2.2 Network shares
W32.Qakbot may receive a command from the command and control server to begin spreading through network shares.

Before copying any files, the threat enumerates shared folders and checks whether the share name and user name are listed in the following file:
%CurrentFolder%\nbl_[USERNAME].txt.

If they are listed in the file, it will skip that network share. If they are not listed, the threat checks if the files %CurrentFolder%\_qbot[RANDOM CHARACTERS] and %CurrentFolder%\q1.dll exist on the remote machine. If not, it downloads them.

It then copies q1.dll to either of the following locations:
  • [REMOTE COMPUTER]\C$\windows\q1.dll
  • [REMOTE COMPUTER]\ADMIN$\q1.dll

It also copies _qbot[RANDOM CHARACTERS] to either of the following locations:
  • [REMOTE COMPUTER]\C$\windows\_qbot[RANDOM CHARACTERS].exe
  • [REMOTE COMPUTER]\ADMIN$\_qbot [RANDOM CHARACTERS].exe

After copying the files, it writes the share name and user name to the file %CurrentFolder%\nbl_[USERNAME].txt on the local machine. This allows the worm to maintain a record of computers that have been infected.


2.3 Removable drives
Qakbot copies itself to removable drives as a random file name and also copies an autorun.inf file to the drive so that it runs every time the drive is inserted into a computer.


3. FUNCTIONALITY

W32.Qakbot makes changes to the system by adding files and a registry entry. It also injects itself into iexplore.exe or explorer.exe, which creates the illusion that all subsequent actions undertaken by the threat appear to be the work of these legitimate Windows processes. Some of these actions include avoiding detection and evading the firewall. Since both processes are on the firewall's allowed list, this threat can use these processes to send any gathered information to the remote attacker without raising any suspicions.



It steals confidential information and connects to a remote server to check for internet connectivity.

The threat contacts a remote command and control server, opening a back door, to receive additional commands. It attempts to copy itself to shared network folders after it has received the command to enumerate network shares. It also hooks msadvapi.dll to hide files and outbound network connections.

The worm can update itself or download and execute additional files as part of its main functionality or through additional commands received from the remote attacker. These additional files may include configuration files. The configuration files include a list of FTP sites where the text file containing the stolen information is to be uploaded, as well as the user name and password for each FTP site.




3.1 System modifications
The following side effects may be observed on computers compromised by members of threat family.

Files/folders created
  • %System%\sconnect.js
  • %Temp%\drwatson.exe
  • %Temp%\msvcrt81.dll
  • C:\Documents And Settings\All Users\_qbothome\updates.cb
  • C:\Documents And Settings\All Users\_qbothome\_installed
  • C:\Documents And Settings\All Users\_qbothome\_qbot.dll
  • C:\Documents And Settings\All Users\_qbothome\_qbotinj.exe
  • C:\Documents And Settings\All Users\_qbothome\_qbotnti.exe
  • C:\Documents And Settings\All Users\_qbothome\crontab.cb
  • C:\Documents And Settings\All Users\_qbothome\msadvapi32.dll
  • C:\Documents And Settings\All Users\_qbothome\nbl_[USERNAME].txt
  • C:\Documents And Settings\All Users\_qbothome\q1.dll
  • C:\Documents And Settings\All Users\_qbothome\qbot.cb
  • C:\Documents And Settings\All Users\_qbothome\uninstall.tmp
  • C:\windows\_qbot[RANDOM CHARACTERS].exe

Files/folders deleted
None

Files/folders modified
The worm modifies the discretionary access control list (DACL) of the following folder:
%ProgramFiles%\Common Files\Symantec Shared

Registry subkeys/entries created
The worm creates the following registry entry so that it runs when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[LEGITIMATE APPLICATION NAME]" = "\"C:\Documents And Settings\All Users\_qbothome\_qbotinj.exe\" \"C:\Documents And Settings\All Users\_qbothome\_qbot.dll\" /c [PATH TO LEGITIMATE APPLICATION]"

Note: [LEGITIMATE APPLICATION NAME] is a legitimate program that already exists on the computer and is chosen randomly by the threat.

Registry subkeys/entries deleted
None

Registry subkeys/entries modified

None

Processes
  • explorer.exe (Injects into process)
  • iexplorer.exe (Injects into process)


3.2 Network activity

The threat may perform the following network activities:

Downloading
This threat has the capability to download additional files. It may also download updates to itself. Upon successful download of a file named sconnect.js, W32.Qakbot adds a scheduled task to the compromised computer that executes sconnect.js as %Windir%\Tasks\[RANDOM NAME].job . The task itself is visible in the scheduled tasks window and is set to run every four days, despite the fact that the task actually renews itself every five hours.

The worm may also download command and configuration files as well as additional executables. The configuration files may contain the status of the threat such as install time, run class (e.g. user, admin, FTP sites) and several other pieces of information.

Uploading
This threat may upload system and confidential information collected from the compromised computer to the command and control server. It also regularly gathers and sends out the geographical location and browser information of the compromised computer to a predetermined remote location.



Other network activity
The threat may open a back door by connecting to the command and control server through FTP or IRC, the locations of which are frequently changed when the worm downloads new configuration files.




3.3 Additional functionality
The file _qbot.dll is responsible for collecting certain information and uploading that stolen data to FTP servers. It can gather the following confidential information from the compromised computer:
  • Authentication cookies including Flash cookies
  • DNS details, IP address, hostname
  • General Operating System information
  • Geographic and browser version information
  • Keystrokes, including login information
  • Login details for FTP, IRC, POP3 email, and IMAP email
  • Outlook account information
  • Private keys from system certificates
  • Login credentials for certain websites
  • URLs visited

The threat uses several techniques to collect private keys from the system certificates contained on the compromised computer. First, it replaces all certificate-related dialog boxes so that the OK button is automatically pushed as soon as the dialog is created. As a result, the user will never see the OK button. It also prevents all message boxes from being displayed. Second, it hooks password input windows in order to steal any characters entered. Third, it patches the CPExportKey API to bypass security checks, and enumerates the private keys.

The worm attempts to steal not only regular browser session cookies, but also Flash cookies. Users should be aware that, unlike traditional browser cookies, Flash cookies are not controlled through the cookie privacy controls in the Web browser. This means they cannot be cleared or deleted in the simple manner that normal tracking cookies are removed.

The URLs visited by the user are logged and sent to the remote attacker. Often, this information contains details of the Internet habits of the user and is used to create targeted advertisements, which form another revenue stream for the cybercriminal. The specialized data can also be sold to companies who fund genuine advertising.

The worm also checks the following URLs related to Internet banking websites and attempts to steal bank account information:
  • cashproonline.bankofamerica.com
  • singlepoint.usbank.com
  • netconnect.bokf.com
  • business-eb.ibanking-services.com
  • cashproonline.bankofamerica.com
  • cashplus
  • ebanking-services.com
  • cashman
  • web-cashplus.com
  • treas-mgt.frostbank.com
  • business-eb.ibanking-services.com
  • treasury.pncbank.com
  • access.jpmorgan.com
  • ktt.key.com
  • onlineserv/CM
  • premierview.membersunited.org
  • directline4biz.com
  • onb.webcashmgmt.com
  • tmconnectweb
  • moneymanagergps.com
  • ibc.klikbca.com
  • directpay.wellsfargo.com
  • express.53.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • cpw-achweb.bankofamerica.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com
  • cmserver

It checks for URLs containing the following strings that are security-related and may block access to the websites:
  • webroot
  • agnitum
  • ahnlab
  • arcabit
  • avast
  • avg
  • avira
  • avp
  • bitdefender
  • bit9
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • .eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • wilderssecurity
  • windowsupdate


4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Angela Thigpen and Eric Chien

Discovered: May 07, 2009
Updated: August 10, 2012 3:14:11 PM
Also Known As: BKDR_QAKBOT.AF [Trend], Win32/Qakbot [Computer Associates], W32/QakBot [Sophos], W32/Akbot [McAfee], Trojan-PSW.Win32.Qbot.mk [Kaspersky]
Type: Worm
Infection Length: Varies
Systems Affected: Windows
CVE References: CVE-2007-4673 | CVE-2007-0015

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Angela Thigpen and Eric Chien