The Latest in IT Security

Towering Qbot Certificates

28
Sep
2011

New stolen digital certificates are used by the multi-purpose backdoor Qbot.

The criminals behind the Qbot trojan are certainly not inactive. As I mentioned in a blog post earlier this month, after a quiet summer we have seen a batch of new Qbot variants. An interesting fact is that the malicious binaries were digitally signed. The stolen certificate was issued to a company called Word & Brown and was later revoked by Verisign.

Yesterday, the virus-writers built a new variant of this multi-purpose backdoor. It uses a new packer, which is quite distinct from those used in previous releases. ESET’s scanning engine was able to detect the trojan heuristically.

These new samples are again digitally signed using a different certificate to the one used before. The current one was issued to Towers Watson & Co and at the time of this writing, we are working on having this certificate revoked.

ESET security software detects these versions of the trojan as Win32/Qbot.AY. A careful reader may have noticed that the detection name is the same as the one mentioned in my previous post. The reason for this is that, under-the-hood, yesterday’s update isn’t really a new variant. It’s the same malware, but a new packer (outer layer for avoiding detection) and a new digital certificate have been used.

Robert Lipovsky

Malware Researcher

Leave a reply


Categories

SATURDAY, SEPTEMBER 21, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks