Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
    • About Us
    blog.trendmicro.com Sites > TrendLabs Security Intelligence Blog > Malware > Third-Generation QAKBOT: Repackaged with Improved Propagation

    It has been said that 2011 is the year of sequels in the movie industry and it seems that malware authors are also taking cues from their Hollywood counterparts. It is only the first quarter of the year but we have already seen a number of revamps of previous well-known malware. The new year started off with the Waledac spin-off Kelihos then ZeuS followed suit with its multiplatform mobile version. Now, recent reports also point to the comeback of a reluctant malware celebrity—QAKBOT.

    QAKBOT never had the same level of notoriety that ZeuS managed to reach. Nevertheless, the damage it inflicted made a great impact on several multinational companies. An RSA report (in PDF) on the impact of attacks involving QAKBOT may be viewed here.

    Our engineers got hold of a new QAKBOT variant in early 2011. Even though its core payload remained the same, several changes were evident. QAKBOT used to be known as a multicomponent malware. Each of its components performs specific routines like information theft, rootkit , anti-emulation, backdoor, and blockage of access to antivirus websites.

    However, with this new variant—third-generation QAKBOT, all of the aforementioned routines have been packaged into one executable file. It seems that its modules were combined to make it more transferrable. Below is an image describing its structure.

    Despite the compression, none of the functions of QAKBOT variants were sacrificed. In fact, we were able to observe improved propagation methods. Like older variants, the new variant also propagates via network shares, removable drives, and peer-to-peer (P2P) networks.

    Whenever a USB drive is plugged in, it will randomly select a file name in the drive and name its dropped copy {malware filename}_{selected filename}.exe. If the drive is empty, it will just append _Documents to its file name (i.e., {malware_filename}_Documents.ex). As for its P2P mechanism, it will attempt to access a certain URL to get its peer list though this is currently inaccessible.

    As more improvements to this already prevalent threat ensue, it will not be surprising if users continue to be affected by QAKBOT unless they get proper protection. Rest assured, however, that we are closely monitoring this threat for any development.

    More information on QAKBOT can be viewed in our comprehensive report “QAKBOT: A Prevalent Info-Stealing Malware.”





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Tuesday, March 15th, 2011 at 5:53 pm and is filed under Malware . Both comments and pings are currently closed.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice