W32.Qakbot – Under The Surface

W32.Qakbot is a worm that's been around since at least 2009. The worm initially infects users by exploiting vulnerabilities when certain Web pages are visited. It subsequenly spreads through network shares and removable drives. It downloads additional files, steals information, and opens a backdoor on the compromised computer. During the past few months, we've seen high levels of active development from the malware author's side, the intent of which is to circumvent detection techniques used by various security software.

The Symantec Security Response team has been monitoring this worm for the past couple of years. Activity around Qakbot appears every couple of months when external entities claim to see an outbreak. The last major wave we saw started in early April. We took that opportunity to spend additional time to analyze and document the working of this threat in a little more detail. We took some actions to monitor the threat's prevalence and learned a lot.

Data acquired using our in-field telemetry shows us just how prevalent this worm is. In the first quarter of 2011, the worm activity wasn't very different as compared to most other active worms. Once the author seeded the newer variants, it's hard to believe if he/she could have foreseen its ability to spread.

Some of the key findings from the analysis of Qakbot were:

  1. The worm spreads using network (SMB) drives, infected Web pages, as well as removable drives
  2. It steals keystrokes, certificates, POP3 passwords, as well as FTP credentials
  3. It uses FTP credentials to locate Web pages and infect them by injecting code
  4. It steals online banking session tokens
  5. It sets up a local SOCKS server which is used by the malware controller to connect through the compromised computer and reuse the hijacked banking session token
  6. Qakbot has the ability to remove 'log off' links from client visibility for some banking sites, and subsequently extend active sessions
  7. It has a usermode rootkit which allows it to hide its files, processes, and network connections
  8. The data being targeted by this worm is primarily that of clients of US-based banks and financial institutions

In one instance a few weeks ago, we also saw Qakbot files being digitally signed using a valid legitimate key. The intention behind signing the files is always to enhance appearance of legitimacy to unsuspecting end users. Although we spoke with the legitimate owners of the digital key and got it revoked, a stolen key being used by Qakbot shows how actively the controllers are seeking means to push their creations to a wider client base.

Additional statistics about how many people continue to be affected by the threat on an ongoing basis can be found with the report liked at the bottom of this article. Also within the document, one can find details of each of the aforementioned Qakbot functions.

Details about all the aforementioned Qakbot functions and additional statistics, including infection rates, can be read about in this whitepaper.