BKDR_QAKBOT.MEOC

This backdoor arrives via peer-to-peer (P2P) shares. It arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to a website to send and receive information.

It sends the information it gathers to remote sites.

It prevents users from visiting antivirus-related websites that contain specific strings.

Arrival Details

This backdoor arrives via peer-to-peer (P2P) shares.

It arrives via removable drives.

It may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %User Profile%\Application Data\Microsoft\{random}\{random}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following non-malicious file:

• %User Profile%\Application Data\Microsoft\{random}\{random}.dll

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

• %User Profile%\Application Data\Microsoft\{random}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {malware name}a
• koucoua

It injects itself into the following processes as part of its memory residency routine:

• explorer.exe
• iexplore.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%User Profile%\Application Data\Microsoft\{random}\{random}.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ctfmon.exe = "%User Profile%\Application Data\Microsoft\{random}\{random}.exe /c %System%\ctfmon.exe"

(Note: The default value data of the said registry entry is %System%\ctfmon.exe.)

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• {BLOCKED}auskmt.pw
• {BLOCKED}theusas.org
• {BLOCKED}cmasn.net
• {BLOCKED}skdfasjdmtf.org
• {BLOCKED}psgrn.com
• {BLOCKED}tmaksjdo.net
• {BLOCKED}aqmi.net
• {BLOCKED}akyat.org
• {BLOCKED}hatdfsaf.net
• {BLOCKED}geyaihudmn.org
• {BLOCKED}kahdmansgip.org
• {BLOCKED}ifdnaetra.net

Process Termination

This backdoor terminates the following processes if found running in the affected system's memory:

• msdev.exe
• dbgview.exe
• ollydbg.exe
• ctfmon.exe
• Proxifier.exe

Information Theft

This backdoor monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• /achupload
• /cmserver/
• /corpach/
• /ibws/
• /payments/ach
• /payments/ach
• /stbcorp/
• /wcmpr/
• /wcmpw/
• /wcmtr/
• /wiret
• achbatchlisting
• businessaccess.citibank.citigroup.com
• businessonline.huntington.com
• businessonline.tdbank.com
• cbs.firstcitizensonline.com
• chsec.wellsfargo.com
• commercial.wachovia.com
• commercial2.wachovia.com
• commercial3.wachovia.com
• commercial4.wachovia.com
• cpw-achweb.bankofamerica.com
• ctm.53.com
• directpay.wellsfargo.com
• express.53.com
• goldleafach.com
• iachwellsprod.wellsfargo.com
• itreasury.regions.com
• itreasurypr.regions.com
• scotiaconnect.scotiabank.com
• tcfexpressbusiness.com
• trz.tranzact.org
• trz.tranzact.org
• wc.wachovia.com
• wcp.wachovia.com
• webexpress.tdbank.com
• wellsoffice.wellsfargo.com

It sends the information it gathers to remote sites.

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• facebook.com/login.php

It prevents users from visiting antivirus-related websites that contain the following strings:

• explabs
• sanasecurity
• phishtank.com
• hautesecure.com
• truste.com
• clearclouddns
• webroot.
• agnitum
• ahnlab
• arcabit
• avast
• avg
• avira
• avp
• bitdefender
• bit9
• castlecops
• centralcommand
• clamav
• comodo
• computerassociates
• cpsecure
• defender
• drweb
• emsisoft
• esafe
• .eset
• etrust
• ewido
• fortinet
• f-prot
• f-secure
• gdata
• grisoft
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• malware
• mcafee
• networkassociates
• nod32
• norman
• norton
• panda
• pctools
• prevx
• quickheal
• rising
• rootkit
• securecomputing
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• threatexpert
• threatfire
• trendmicro
• virus
• wilderssecurity
• windowsupdate
• update.microsoft
• download.microsoft

NOTES:

It is capable of connecting to a certain IRC server using a certain port and joins a channel where it receives commands from a malicious user. It sends the following information to its C&C server:

• cookie
• data
• dnsname
• domain
• ex_module
• exe
• ext_ip
• hostname
• install_time
• is_admin
• lb
• login
• nick
• os
• pass
• qbot_version
• referer
• th_title
• url
• user

It gathers passwords by monitoring the following applications:

• aim.exe
• firefox.exe
• iexplore.exe
• msmsgs.exe
• msnmsgr.exe
• opera.exe
• outlook.exe
• skype.exe
• wscntfy.exe
• wuauclt.exe
• yahoomessenger.exe

This backdoor monitors the following site activities:

• googleusercontent.com
• salesforce.com
• storage.live.com
• messenger.live.com
• twimg.com
• api.skype.com
• mail.google.com
• bing.com
• playtoga.com
• data.mozilla.com
• crash-reports.mozilla.com
• hotbar.com
• lphbs.com
• contacts.msn.com
• search.msn.com
• clients.mindbodyonline.com
• loyaltyconnect.ihg.com
• amazonaws.com
• audatexsolutions.com
• mail.services.live.com
• etsy.com
• king.com
• phantomefx.com
• facebook.com
• gator.com
• doubleclick.
• zango.com
• 180solutions.com
• wildtangent.com
• webhancer.com
• tbreport.bellsouth.net
• spamblockerutility.com
• internet-optimizer.com
• adworldmedia.com
• seekmo.com
• r777r.info
• sipuku.com
• eorezo.com
• newasp.com.cn
• wpzkq.com
• radialpoint.com
• owlforce.com
• microsoft.com
• localhost
• 127.0.0.1
• securestudies.com
• farmville.com
• mybrowserbar.com
• auditude.com
• digitalmediacommunications.com
• mapquest.com
• kixeye.com
• myshopres.com
• conduit-services.com
• zynga.com
• 5min.com
• netflix.com
• tubemogul.com
• youtube.com
• brightcove.com
• mochibot.com
• fwmrm.net
• mendeley.com