One of them, “getip”, checks the registry to see if a Citrix product, Microsoft Office or Microsoft Project is installed, by reading the registry key HKEY_CLASSES_ROOT\Installer\Products. Qakbot contains several internal commands it uses to do its dirty work. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"C:\Documents and Settings\All Users\_qbothome\_qbotinj.exe" " C:\Documents and Settings\All Users\_qbothome\_qbot.dll" /C "C:\Program Files\Test Program\testprogram.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Test Program" = "C:\Program Files\Test Program\testprogram.exe" Qakbot does not add a registry value under the “Run” or “RunOnce” subkeys itself, but instead updates the last entry under those keys to include its own EXE file, followed by Qakbot’s parameter and “/c” with the original registry value, which is legitimate.įor example, the last (legitimate) Run key entry might be: The other thread, Swatcher, checks the registry subkeys “Run” and “RunOnce” every 30 seconds and updates them if necessary. Watson running in memory and terminates any it finds. The Watchdog thread monitors for instances of Dr. _qbot.dll also runs two additional threads: “Watchdog” and “Swatcher”. Interestingly however, _qbotinj.exe avoids injecting _qbot.dll into certain processes, presumably in an attempt to avoid being detected (or in some cases to avoid being debugged which would likely result in detection so in essence is the same thing), including the following: For all intents and purposes, this simply appears to be a legitimate browsing instance.
The above image represents the worm communicating with its command center via the compromised Internet Explorer process.
#INSTALL DATATHIEF WINDOWS FULL#
This is in fact a trick often used by many types of threats, as antivirus products, firewalls and other security safeguards are generally programmed to allow such common Windows processes full access to both the Internet and other applications on the infected computer. This creates the illusion that all subsequent actions undertaken by the threat appear to be the work of these otherwise legitimate Windows processes. Similarly, the iexplore.exe process, which many readers will recognize as the process responsible for operating the Internet Explorer browser, is also injected. The file explorer.exe, a core Windows process and one of the few that runs in memory constantly on Windows operating systems, is compromised by _qbotinj.exe injecting _qbot.dll into it – that is, into the instance of explorer.exe running in memory. The _qbotinj.exe file acts as a kind of servant to the _qbot.dll file. We will talk more about this file later in the article. The downloaded file _qbot.dll is the main component of the Qakbot worm and is responsible for collecting certain information from the infected machine and uploading that stolen data to FTP servers under the control of the creator, the locations of which are frequently changed. The first two components the threat downloads are _qbot.dll and _qbotinj.exe. Once a machine is infected with Qakbot, all Qakbot-related files are stored in the user profile data directory, which typically is C:\Documents and Settings\\_qbothome. Qakbot initially spreads via web pages containing Javascript which attempts to exploit certain vulnerabilities, including Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness and Apple QuickTime RTSP URI Remote Buffer Overflow (Symantec IPS detection details here and here) and where those exploits are successful, downloads its malicious files on to the compromised computer. We will discuss each of these components briefly as we walk through the various functionality contained within and methods employed by this nefarious data thief. Taking a peak under the proverbial covers, we see that it uses several components to accomplish the task, including the following: The motive of Qakbot is quite clear, to steal information. Benign not because it is harmless - stealing login details, reporting keystrokes and uploading system certificates is malicious behavior indeed - but as will become obvious as we describe it in more detail below, because it moves slowly and with caution, trying not to bring attention to its presence. W32.Qakbot (hereafter referred to as Qakbot) is a somewhat benign worm that is capable of spreading through network shares, downloading additional files and opening a back door on the compromised computer, all in aid of its ultimate goal. We recently had the opportunity to revisit a threat that first appeared on our radar back in May of this year.
0 kommentar(er)
