BKDR_QAKBOT.MEOQ

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It prevents users from visiting antivirus-related websites that contain specific strings. It deletes itself after execution.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

• %Application Data%\Microsoft\{random folder}\{random file name}.dll
• %Application Data%\Microsoft\{random folder}\{random file name}32.dll

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %Application Data%\Microsoft\{random folder}\{random file name}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following processes:

• explorer.exe

It creates the following folders:

• %Application Data%\Microsoft\{random folder}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It is injected into the following processes running in memory:

• created explorer.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%All Users Profile%\Application Data\Microsoft\{random folder name}\{random file name}.exe"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random key}
ImagePath = "%Application Data%\Microsoft\{random folder}\{random file name}.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random key}
DisplayName = "Remote Procedure Call (RPC) Service"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random key}

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2500 = "3"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download and execute component files
• Download configuration and updates
• Download updated copy of itself
• Uninstall itself
• Kill processes
• Upload files containing stolen information
• Perform FTP functionalities

It connects to the following websites to send and receive information:

• http://{BLOCKED}t.{BLOCKED}izzade.com/pHVgHXc8g05qdgamO3ZHq.php
• http://{BLOCKED}s.{BLOCKED}mapress.com/pHVgHXc8g05qdgamO3ZHq.php

Process Termination

This backdoor terminates the following processes if found running in the affected system's memory:

• msdev.exe
• dbgview.exe
• ollydbg.exe
• ctfmon.exe
• Proxifier.exe

Information Theft

This backdoor monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• .hsbcnet.com
• .web-access.com
• .webcashmgmt.com
• /achupload
• /cashman/
• /cashplus/
• /clkccm/
• /cmserver/
• /corpach/
• /ibws/
• /payments/ach
• /stbcorp/
• /wcmpr/
• /wcmpw/
• /wcmtr/
• /wires/
• /wiret
• access.jpmorgan.com
• accessonline.abnamro.com
• achbatchlisting
• bankeft.com
• blilk.com
• business-eb.ibanking-services.com
• businessaccess.citibank.citigroup.com
• businessbankingcenter.synovus.com
• businessinternetbanking.synovus.com
• businessonline.huntington.com
• businessonline.tdbank.com
• cashmanageronline.bbt.com
• cashproonline.bankofamerica.com
• cbs.firstcitizensonline.com
• chsec.wellsfargo.com
• cmol.bbt.com
• cmoltp.bbt.com
• commercial.bnc.ca
• commercial.wachovia.com
• commercial2.wachovia.com
• commercial3.wachovia.com
• commercial4.wachovia.com
• corporatebanking
• cpw-achweb.bankofamerica.com
• ctm.53.com
• directline4biz.com
• directpay.wellsfargo.com
• e-facts.org
• e-moneyger.com
• each.bremer.com
• ebanking-services.com
• ebc_ebc
• express.53.com
• firstmeritib.com
• firstmeritib.com/defaultcorp.aspx
• goldleafach.com
• iachwellsprod.wellsfargo.com
• ibc.klikbca.com
• iris.sovereignbank.com
• itreasury.regions.com
• itreasurypr.regions.com
• jsp/mainWeb.jsp
• ktt.key.com
• moneymanagergps.com
• netconnect.bokf.com
• nj00-wcm
• ocm.suntrust.com
• onlineserv/CM
• otm.suntrust.com
• paylinks.cunet.org
• premierview.membersunited.org
• providentnjolb.com
• scotiaconnect.scotiabank.com
• securentrycorp.amegybank.com
• securentrycorp.zionsbank.com
• singlepoint.usbank.com
• svbconnect.com
• tcfexpressbusiness.com
• tdetreasury.tdbank.com
• tmcb.zionsbank.com
• tmconnectweb
• treas-mgt.frostbank.com
• treasury.pncbank.com
• trz.tranzact.org
• tssportal.jpmorgan.com
• wc.wachovia.com
• wcp.wachovia.com
• web-cashplus.com
• webexpress.tdbank.com
• wellsoffice.wellsfargo.com

It gathers the following data:

• GeoIP locations
• Browser cookies
• Flash cookies
• Network information
• System information
• FTP, POP3, IMAP, SMTP, HTTPMail, NNTP Passwords
• Outlook login credentials
• Private keys from system certificates
• Login credentials for certain websites
• Internet sessions

Other Details

This backdoor connects to the following URL(s) to get the affected system's IP address:

• www.ip-adress.com

It prevents users from visiting antivirus-related websites that contain the following strings:

• .eset
• agnitum
• ahnlab
• arcabit
• avast
• avg
• avira
• avp
• bit9
• bitdefender
• castlecops
• centralcommand
• clamav
• clearclouddns
• comodo
• computerassociates
• cpsecure
• defender
• download.microsoft.
• drweb
• emsisoft
• esafe
• etrust
• ewido
• explabs.
• f-prot
• f-secure
• fortinet
• gdata
• grisoft
• hacksoft
• hauri
• hautesecure.com
• ikarus
• jotti
• k7computing
• kaspersky
• malware
• mcafee
• networkassociates
• nod32
• norman
• norton
• panda
• pctools
• phishtank.com
• prevx
• quickheal
• rising
• rootkit
• sanasecurity
• securecomputing
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• threatexpert
• threatfire
• trendmicro
• truste.com
• update.microsoft.
• virus
• webroot.
• wilderssecurity
• windowsupdate

It deletes itself after execution.

NOTES:

This backdoor is capable of connecting to a certain IRC server using a certain port and joins a channel where it receives commands from a malicious user. It sends the following information to its C&C server:

• ext_ip
• dnsname
• hostname
• user
• domain
• is_admin
• os
• qbot_version
• install_time
• exe

This backdoor gathers passwords by monitoring the following applications:

• aim.exe
• firefox.exe
• iexplore.exe
• msmsgs.exe
• msnmsgr.exe
• opera.exe
• outlook.exe
• skype.exe
• wscntfy.exe
• wuauclt.exe
• yahoomessenger.exe

It also steals stored passwords, cache and cookies from the following servers:

• 001e6608
• 001e6607
• Email
• HTTP Server URL
• HTTP User
• HTTPMail Server
• HTTPMail User Name
• IMAP Server
• IMAP User
• IMAP User Name
• NNTP Email Address
• NNTP Server
• NNTP User Name
• POP3 Server
• POP3 User
• POP3 User Name
• SMTP Email Address
• SMTP Server
• SMTP User
• SMTP User Name

It also monitors the browsing activities of the infected computer and logs all information related to websites containing the following strings:

• .5min.com
• 127.0.0.1
• 180solutions.com
• .adworldmedia.com
• .amazonaws.com
• .bing.com
• .gator.com
• .microsoft.com
• .mozilla.com
• .mozilla.org
• .twimg.com
• \.king.com
• api.skype.com
• audatexsolutions.com
• auditude.com
• brightcove.com
• clients.mindbodyonline.com
• conduit-services.com
• contacts.msn.com
• digitalmediacommunications.com
• doubleclick.
• eorezo.com
• etsy.com
• facebook.com
• farmville.com
• fwmrm.net
• googleusercontent.com
• hotbar.com
• internet-optimizer.com
• kixeye.com
• localhost
• loyaltyconnect.ihg.com
• lphbs.com
• mail.google.com
• mail.services.live.com
• mapquest.com
• mendeley.com
• messenger.live.com
• mochibot.com
• mybrowserbar.com
• myshopres.com
• netflix.com
• newasp.com.cn
• owlforce.com
• phantomefx.com
• playtoga.com
• r777r.info
• radialpoint.com
• salesforce.com
• search.msn.com
• securestudies.com
• seekmo.com
• sipuku.com
• spamblockerutility.com
• storage.live.com
• tbreport.bellsouth.net
• tubemogul.com
• webhancer.com
• wildtangent.com
• wpzkq.com
• youtube.com
• zango.com
• zynga.com

It uses the following user names and passwords to gain access to password-protected shares:

• 123
• password
• Password
• letmein
• 1234
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 1234567890
• qwerty
• love
• iloveyou
• princess
• pussy
• master
• monkey
• abc123
• 99999999
• 9999999
• 999999
• 99999
• 9999
• 999
• 99
• 9
• 88888888
• 8888888
• 888888
• 88888
• 8888
• 888
• 88
• 8
• 77777777
• 7777777
• 777777
• 77777
• 7777
• 777
• 77
• 7
• 66666666
• 6666666
• 666666
• 66666
• 6666
• 666
• 66
• 6
• 55555555
• 5555555
• 555555
• 55555
• 5555
• 555
• 55
• 5
• 44444444
• 4444444
• 444444
• 44444
• 4444
• 444
• 44
• 4
• 33333333
• 3333333
• 333333
• 33333
• 3333
• 333
• 33
• 3
• 22222222
• 2222222
• 222222
• 22222
• 2222
• 222
• 22
• 2
• 11111111
• 1111111
• 111111
• 11111
• 1111
• 111
• 11
• 1
• 00000000
• 0000000
• 00000
• 0000
• 000
• 00
• 0987654321
• 987654321
• 87654321
• 7654321
• 654321
• 54321
• 4321
• 321
• 21
• 12
• super
• secret
• server
• computer
• owner
• backup
• database
• lotus
• oracle
• business
• manager
• temporary
• ihavenopass
• nothing
• nopassword
• nopass
• Internet
• internet
• example
• sample
• love123
• boss123
• work123
• home123
• mypc123
• temp123
• test123
• qwe123
• pw123
• root123
• pass123
• pass12
• pass1
• admin123
• admin12
• admin1
• password123
• password12
• password1
• default
• foobar
• foofoo
• temptemp
• temp
• testtest
• test
• rootroot
• root
• fuck
• zzzzz
• zzzz
• zzz
• xxxxx
• xxxx
• xxx
• qqqqq
• qqqq
• qqq
• aaaaa
• aaaa
• aaa
• sql
• file
• web
• foo
• job
• home
• work
• intranet
• controller
• killer
• games
• private
• market
• coffee
• cookie
• forever
• freedom
• student
• account
• academia
• files
• windows
• monitor
• unknown
• anything
• letitbe
• domain
• access
• money
• campus
• explorer
• exchange
• customer
• cluster
• nobody
• codeword
• codename
• changeme
• desktop
• security
• secure
• public
• system
• shadow
• office
• supervisor
• superuser
• share
• adminadmin
• mypassword
• mypass
• pass
• Login
• login
• passwd
• zxcvbn
• zxcvb
• zxccxz
• zxcxz
• qazwsxedc
• qazwsx
• q1w2e3
• qweasdzxc
• asdfgh
• asdzxc
• asddsa
• asdsa
• qweasd
• qweewq
• qwewq
• nimda
• administrator
• Admin
• admin
• a1b2c3
• 1q2w3e
• 1234qwer
• 1234abcd
• 123asd
• 123qwe
• 123abc
• 123321
• 12321
• 123123
• James
• John
• Robert
• Michael
• William
• David
• Richard
• Charles
• Joseph
• Thomas
• Christopher
• Daniel
• Paul
• Mark
• Donald
• George
• Kenneth
• Steven
• Edward
• Brian
• Ronald
• Anthony
• Kevin
• Mary
• Patricia
• Linda
• Barbara
• Elizabeth
• Jennifer
• Maria
• Susan
• Margaret
• Dorothy
• Lisa
• Nancy
• Karen
• Betty
• Helen
• Sandra
• Donna
• Carol
• james
• john
• robert
• michael
• william
• david
• richard
• charles
• joseph
• thomas
• christopher
• daniel
• paul
• mark
• donald
• george
• kenneth
• steven
• edward
• brian
• ronald
• anthony
• kevin
• mary
• patricia
• linda
• barbara
• elizabeth
• jennifer
• maria
• susan
• margaret
• dorothy
• lisa
• nancy
• karen
• betty
• helen
• sandra
• donna
• carol
• baseball
• dragon
• football
• mustang
• superman
• 696969
• batman
• trustno1

It terminates itself when executed in the following Virtual Environments:

• Virtual HD
• VirtualProtect
• VirtualBox
• CWSandbox
• VMWare