Backdoor:Win32/Qakbot.T

Installation

This threat can be installed by exploit kits, such as Sweet Orange. It can also spread using infected network and removable drives, such as USB flash drives. It installs a copy of itself on all accessible drives and network shares, using a random file name. The dropped copy can be run remotely.

The trojan is installed along with a dynamic link library (DLL) file that contains encrypted configuration data to %APPDATA%\Microsoft\<random folder name>\<random file name>. The folder and file names are the same, for example:

• %APPDATA%\Microsoft\ypoplkc\ypoplkc.exe
• %APPDATA%\Microsoft\ypoplkc\ypoplkc.dll

Registry modifications

The maware creates the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random value name>
With data: "%APPDATA%\Microsoft\<random folder name>\<random file name>"

The malware installs itself as a Windows service by modifying the following registry entries:

In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>

Sets value: "Type"
With data: dword:00000010

Sets value: "Start"
With data: dword:00000002

Sets value: "ErrorControl"
With data: dword:00000000

Sets value: "ServiceName"
With data: "<random service name>"

Sets value: "DisplayName"
With data: "Remote Procedure Call (RPC) Service"

Sets value: "DependOnService"
With data: "Dnscache"

In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>
Sets value: "ObjectName"
With data: "LocalSystem"

It also modifies the following registry entries to lower your Internet security settings:

In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\2
Sets value: "2500"
With data: dword:00000003

In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\3
Sets value: "2500"
With data: dword:00000003 

The trojan can create a shortcut file in the Startup folder that links back to its copy.

Payload

Allows backdoor access and control

This threat contacts a remote server to receive commands from a malicious hacker. Once connected, the malicious hacker can command the trojan to do a number of things, including:

• Collect information about your PC
• Check for new malware version
• Download and run files, such as a malware update
• Login to FTP sites using stolen credentials
• Download collected data
• Detect which antivirus program you have on your PC
• Detect whether it is running in a virtual machine and/or honeypot
• Stop processes by process ID (PID) or string matching
• Log keystrokes
• Load a specified configuration file
• Steal email user names and passwords
• Steal POP3 and FTP credentials
• Collect your cookies and digital certificates
• Delete your cookies
• Infect removable drives
• Infect accessible network shares
• Contact a SOCKs server

Steals your banking information

A malicious hacker can also tell the trojan to steal your online banking information. The trojan watches to see if you visit any URLs that include the following strings:

• web-access.com
• webcashmgmt.com
• /achupload
• /cashman/
• /cashplus/
• /clkccm/
• /cmserver/
• /corpach/
• /ibws/
• /payments/ach
• /stbcorp/
• /wcmpr/
• /wcmpw/
• /wcmtr/
• /wires/
• /wiret
• access.jpmorgan.com
• accessonline.abnamro.com
• achbatchlisting
• bankeft.com
• blilk.com
• business-eb.ibanking-services.com
• businessaccess.citibank.citigroup.com
• businessbankingcenter.synovus.com
• businessinternetbanking.synovus.com
• businessonline.huntington.com
• businessonline.tdbank.com
• cashproonline.bankofamerica.com
• cbs.firstcitizensonline.com
• chsec.wellsfargo.com
• cmol.bbt.com
• commercial.bnc.ca
• commercial.wachovia.com
• commercial2.wachovia.com
• commercial3.wachovia.com
• commercial4.wachovia.com
• corporatebanking
• cpw-achweb.bankofamerica.com
• ctm.53.com
• directline4biz.com
• directpay.wellsfargo.com
• e-facts.org
• e-moneyger.com
• each.bremer.com
• ebanking-services.com
• express.53.com
• firstmeritib.com
• firstmeritib.com/defaultcorp.aspx
• goldleafach.com
• iachwellsprod.wellsfargo.com
• ibc.klikbca.com
• iris.sovereignbank.com
• itreasury.regions.com
• itreasurypr.regions.com
• jsp/mainWeb.jsp
• ktt.key.com
• moneymanagergps.com
• netconnect.bokf.com
• nj00-wcm
• ocm.suntrust.com
• onlineserv/CM
• otm.suntrust.com
• paylinks.cunet.org
• premierview.membersunited.org
• providentnjolb.com
• scotiaconnect.scotiabank.com
• securentrycorp.amegybank.com
• securentrycorp.zionsbank.com
• singlepoint.usbank.com
• svbconnect.com
• tcfexpressbusiness.com
• tmcb.zionsbank.com
• tmconnectweb
• treas-mgt.frostbank.com
• treasury.pncbank.com
• trz.tranzact.org
• tssportal.jpmorgan.com
• wc.wachovia.com
• wcp.wachovia.com
• web-cashplus.com
• webexpress.tdbank.com
• wellsoffice.wellsfargo.com

If you visit one of these banking websites the malware can monitor the communication and capture your sensitive information, such as your user name and password.

Sends stolen data to a malicious hacker

This threat can send the information it collects from your PC back to a remote server via HTTP or FTP. We have seen it connect to the following servers:

• 85.114.135.19 using TCP/8080
• 213.239.202.52 using TCP/65400

Blocks access to security websites

The malware hooks several APIs to monitor system events related to its information stealing routines. It can then block access to some security-related websites. We have seen it hooks the following APIs:

• advapi32.dll!RegEnumValueW
• advapi32.dll!RegEnumValueA
• dnsapi.dll!DnsQuery_A
• dnsapi.dll!DnsQuery_W
• iphlpapi.dll!GetTcpTable
• iphlpapi.dll!AllocateAndGetTcpExTableFromStack
• kernel32.dll!GetProcAddress
• kernel32.dll!FindFirstFileA
• kernel32.dll!FindNextFileA
• kernel32.dll!FindFirstFileW
• kernel32.dll!FindNextFileW
• ntdll.dll!NtQuerySystemInformation
• ntdll.dll!NtResumeThread
• ntdll.dll!LdrLoadDll
• wininet.dll!HttpOpenRequestA
• ininet.dll!HttpOpenRequestW
• wininet.dll!HttpSendRequestA
• wininet.dll!HttpSendRequestW
• ninet.dll!HttpSendRequestExW
• wininet.dll!InternetReadFile
• wininet.dll!InternetReadFileExA
• wininet.dll!InternetWriteFile
• wininet.dll!InternetCloseHandle
• wininet.dll!InternetQueryDataAvailable
• wininet.dll!HttpOpenRequestA
• wininet.dll!HttpOpenRequestW
• ws2_32.dll!connect
• ws2_32.dll!send
• ws2_32.dll!WSASend
• ws2_32.dll!WSAConnect
• user32.dll!GetClipboardData
• user32.dll!CharToOemBuffA
• user32.dll!TranslateMessage

We have seen it block the following security-related websites:

• Agnitum
• Ahnlab
• Arcabit
• Avast
• Avg
• Avira
• Avp
• Bit9
• Bitdefender
• Castlecops
• Centralcommand
• Clamav
• Clearclouddns
• Comodo
• Computerassociates
• Cpsecure
• Defender
• Download.microsoft
• Drweb
• Emsisoft
• Esafe
• Eset
• Etrust
• Ewido
• Explabs
• F-prot
• F-secure
• Fortinet
• Gdata
• Grisoft
• Hacksoft
• Hauri
• Hautesecure.com
• Ikarus
• Jotti
• KI7computing
• Kaspersky
• Malware
• Mcafee
• Networkassociates
• Nod32
• Norman
• Norton
• Panda
• Pctools
• Phishtank.com
• Prevx
• Quickheal
• Rising
• Rootkit
• Sanasecurity
• Securecomputing
• Sophos
• Spamhaus
• Spyware
• Sunbelt
• Symantec
• Threatexpert
• Threatfire
• Trendmicro
• Truste.com
• Update.microsoft
• Virus
• Webroot
• Wilderssecurity
• Windowsupdate

Additional information

• Proofpoint blog: How to steal access to over 500,000 bank accounts: The insider view of a Russian cybercrime infrastructure
• Microsoft Malware Protection Center Threat Report - Qakbot   
• Implement strict provisioning and administration practices
• W32/Pinkslipbot threat advisory  

Analysis by Rex Plantado