Backdoor.Qakbot.H is a complex piece of malware (with worm, downloader and Trojan components) that spreads through peer-to-peer network shares and removable drives. Once on the system, it creates a backdoor and starts downloading additional malicious files, while snatching critical private information.
It takes the unsuspecting user only to click on a malicious link fromA an infected webpage and the malware immediately lands on his computer. This infected executable file bears the icon of a shared folder, which allows the worm to hide in plain sight and also increases chances for a user to click on it and run the file.
Removable drives are also infection vectors for this piece of code.
The file is packed with UPX. The moment is gets on the system; it copies in one of the locations C:Documents and SettingsAll UsersApplication DataMicrosoft; C:Documents and SettingsAll UsersApplication Data; C:Documents and SettingsMicrosoft%user%Application Data; C:Documents and Settings%user%Application Data, a copy of itself, along with an encrypted initialization file and the packed dll it drops in the resources.
It adds the copy of itself at startup by duplicating a randomly-chosen legit registry key in HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with one pointing to itself, thus ensuring that it will initialize upon every startup. The variant we analyzed points to C:Documents and SettingsAll UsersApplication DataMicrosoftuooeum6.exe. Furthermore, Backdoor.Qakbot.H installs a hook procedure meant to monitor messages posted to a message queue.
Qakbot will then inject into explorer.exe a piece of code that will eventually be used to create new processes. This is a common practice amongst malware creators as it allows them to conceal other spawned processes as children of explorer.exe. The Trojan creates the following processes: iexplore.exe; outlook.exe; firefox.exe; opera.exe; skype.exe; msnmsgr.exe; yahoomessenger.exe; chrome.exe; msmsgs.exe, processes which will be permanently monitored in a watchdog thread. If one of them is terminated, the piece of malware will re-launch it
This piece of malware has a great deal of features:
· to update or uninstall malware
· to steal passwords typed in the most popular browsers, such as Internet Explorer®, Firefox®,Chrome®, Opera™
· to steal login details from mail clients (Outlook® Express) or instant messaging & VoIP applications (Skype™, MSN® Messenger, Yahoo! ® Messenger
· to steal cookies
· to download files from FTP servers and runs them locally
· to join IRC servers (a must-have feature for the creation of botnets)
· to monitor a considerably lengthy list of e-banking sites
· to download further malware on the infected computer from a list of servers that it comes equipped with
On top of all these, Backdoor.Qakbot.H denies access to Windows® updates and attempts to kill any antivirus service it finds installed locally. In order to protect itself from removal tools or manual disinfection, it also blocks any connection to online scanning services. This way, it takes all the necessary precautions to remain undiscovered and better perform its tasks.
Since Quakbot injects in Internet Explorer® code that will be needed to download files from the Internet, its network traffic will likely circumvent the restrictions of some firewalls, which might ensure its functionality in a corporate environment. If internet connection is possible, Qakbot will try to send to its C&C center the following details regarding the infected computer:
ext_ip=[%s], dnsname=[%s], hostname=[%s], user=[%s], domain=[%s], is_admin=[%s], os=[%s], time=[%s], qbot_version=[%s], install_time=[%s].
Once the job is done, the dropper deletes itself through a .bat file; however copies of itself remain running in the Application Data folder.
This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.