3 min read

[Malware Review] Backdoor.Qakbot.H

Loredana BOTEZATU

May 10, 2011

[Malware Review] Backdoor.Qakbot.H

Backdoor.Qakbot.H is a complex piece of malware (with worm, downloader and Trojan components) that spreads through peer-to-peer network shares and removable drives. Once on the system, it creates a backdoor and starts downloading additional malicious files, while snatching critical private information.

It takes the unsuspecting user only to click on a malicious link fromA an infected webpage and the malware immediately lands on his computer. This infected executable file bears the icon of a shared folder, which allows the worm to hide in plain sight and also increases chances for a user to click on it and run the file.

Removable drives are also infection vectors for this piece of code.

The file is packed with UPX. The moment is gets on the system; it copies in one of the locations C:Documents and SettingsAll UsersApplication DataMicrosoft; C:Documents and SettingsAll UsersApplication Data; C:Documents and SettingsMicrosoft%user%Application Data; C:Documents and Settings%user%Application Data, a copy of itself, along with an encrypted initialization file and the packed dll it drops in the resources.

It adds the copy of itself at startup by duplicating a randomly-chosen legit registry key in HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with one pointing to itself, thus ensuring that it will initialize upon every startup. The variant we analyzed points to C:Documents and SettingsAll UsersApplication DataMicrosoftuooeum6.exe. Furthermore, Backdoor.Qakbot.H installs a hook procedure meant to monitor messages posted to a message queue.

Qakbot will then inject into explorer.exe a piece of code that will eventually be used to create new processes. This is a common practice amongst malware creators as it allows them to conceal other spawned processes as children of explorer.exe. The Trojan creates the following processes: iexplore.exe; outlook.exe; firefox.exe; opera.exe; skype.exe; msnmsgr.exe; yahoomessenger.exe; chrome.exe; msmsgs.exe, processes which will be permanently monitored in a watchdog thread. If one of them is terminated, the piece of malware will re-launch it

This piece of malware has a great deal of features:

· to update or uninstall malware

· to steal passwords typed in the most popular browsers, such as Internet Explorer® , Firefox® ,Chrome® , Operaâ„¢

· to steal login details from mail clients (Outlook® Express) or instant messaging & VoIP applications (Skypeâ„¢, MSN® Messenger, Yahoo! ® Messenger

· to steal cookies

· to download files from FTP servers and runs them locally

· to join IRC servers (a must-have feature for the creation of botnets)

· to monitor a considerably lengthy list of e-banking sites

· to download further malware on the infected computer from a list of servers that it comes equipped with

On top of all these, Backdoor.Qakbot.H denies access to Windows® updates and attempts to kill any antivirus service it finds installed locally. In order to protect itself from removal tools or manual disinfection, it also blocks any connection to online scanning services. This way, it takes all the necessary precautions to remain undiscovered and better perform its tasks.

Since Quakbot injects in Internet Explorer® code that will be needed to download files from the Internet, its network traffic will likely circumvent the restrictions of some firewalls, which might ensure its functionality in a corporate environment. If internet connection is possible, Qakbot will try to send to its C&C center the following details regarding the infected computer:

ext_ip=[%s], dnsname=[%s], hostname=[%s], user=[%s], domain=[%s], is_admin=[%s], os=[%s], time=[%s], qbot_version=[%s], install_time=[%s].

Once the job is done, the dropper deletes itself through a .bat file; however copies of itself remain running in the Application Data folder.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read