• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Third-Generation QAKBOT: Repackaged with Improved Propagation

Third-Generation QAKBOT: Repackaged with Improved Propagation

  • Posted on:March 15, 2011 at 5:53 pm
  • Posted in:Malware
  • Author:
    Jessa De La Torre (Senior Threat Researcher)
9

It has been said that 2011 is the year of sequels in the movie industry and it seems that malware authors are also taking cues from their Hollywood counterparts. It is only the first quarter of the year but we have already seen a number of revamps of previous well-known malware. The new year started off with the Waledac spin-off Kelihos then ZeuS followed suit with its multiplatform mobile version. Now, recent reports also point to the comeback of a reluctant malware celebrity—QAKBOT.

QAKBOT never had the same level of notoriety that ZeuS managed to reach. Nevertheless, the damage it inflicted made a great impact on several multinational companies. An RSA report (in PDF) on the impact of attacks involving QAKBOT may be viewed here.

Our engineers got hold of a new QAKBOT variant in early 2011. Even though its core payload remained the same, several changes were evident. QAKBOT used to be known as a multicomponent malware. Each of its components performs specific routines like information theft, rootkit , anti-emulation, backdoor, and blockage of access to antivirus websites.

However, with this new variant—third-generation QAKBOT, all of the aforementioned routines have been packaged into one executable file. It seems that its modules were combined to make it more transferrable. Below is an image describing its structure.

Despite the compression, none of the functions of QAKBOT variants were sacrificed. In fact, we were able to observe improved propagation methods. Like older variants, the new variant also propagates via network shares, removable drives, and peer-to-peer (P2P) networks.

Whenever a USB drive is plugged in, it will randomly select a file name in the drive and name its dropped copy {malware filename}_{selected filename}.exe. If the drive is empty, it will just append _Documents to its file name (i.e., {malware_filename}_Documents.ex). As for its P2P mechanism, it will attempt to access a certain URL to get its peer list though this is currently inaccessible.

As more improvements to this already prevalent threat ensue, it will not be surprising if users continue to be affected by QAKBOT unless they get proper protection. Rest assured, however, that we are closely monitoring this threat for any development.

More information on QAKBOT can be viewed in our comprehensive report “QAKBOT: A Prevalent Info-Stealing Malware.”

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.