W32.Qakbot is a worm that's been around since at least 2009. The worm initially infects users by exploiting vulnerabilities when a certain Web pages are visited. It subsequenly spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. During the past few months we've seen high levels of active development from the malware author's side with the intent of circumventing detection techniques used by various security software.
The Symantec Security Response team has been monitoring this worm for the past couple of years. Activity around Qakbot appears every couple of months with external entities claiming to see an outbreak. The last major wave we saw started in early April. We took that opportunity to spend additional time to analyze and document the working of this threat in a little more detail. We took some actions to monitor the threat's prevalence and learnt a good amount.
Data acquired using our in-field telemetry show us just how prevalent this worm is. In the first quarter of 2011 the worm activity wasn't very different as compared to most other active worms. Once the author seeded the newer variants, its hard to believe if he/she could have foreseen its ability to spread.
Some of the key findings from the analysis of Qakbot were –
- The worm spreads using network (SMB) drives, infected web pages, as well as removable drives
- It steals keystrokes, certificates, POP3 passwords, as well as FTP credentials
- It uses FTP credentials to locate web pages and infect them by injecting code
- The worm steals online banking session tokens
- It sets up a local SOCKS server which is used by the malware controller to connect through the compromised computer and reuse the hijacked banking session token
- Qakbot has the ability to remove 'logoff' links from client visibility for some banking sites, and subsequently extend active sessions
- It has a usermode rootkit which allows it to hide its files, processes and network connections
- The data being targeted by this worm is pimarily from clients using services of US based banks and other financial institutions
In one instance, a few weeks ago, we also saw Qakbot files being digitally signed using a valid legitimate key. The intention behind signing the files is always to enhance appearance of legitimacy to unsuspecting end users. While we spoke with the legitimate owners of the digital key and got it revoked, a stolen key being used by Qakbot shows how actively the controllers are seeking means to push their creations to a wider client base.
Additional statistics about how many people continue to be affected by the threat on an ongoing basis, can be found with the report liked off the bottom of this article. Also within the document one can find details of each of the aforementioned Qakbot functions.
Details about all the aforementioned Qakbot functions and additional statistics, including infection
rates, can be read about in this whitepaper.
Leave a reply