| Recently I had received a call to assist a potential | | | | installed on your machine, it can be instructed to do just |
| customer with a virus outbreak in a segment of their | | | | about anything its controllers choose. |
| network. | | | | After downloading q1.dll, QBot makes a SOCKS proxy |
| The victim had been using a competitor's product, | | | | connection to another URL and attempts to join a IRC |
| which unfortunately was not protecting them from the | | | | chatroom that is only accessible via an SSL |
| spread of this attack, and it was merely coincidence | | | | connection from the SOCKS proxy. This makes it far |
| that this was discovered during their evaluation of | | | | more difficult for researchers to join the chatroom and |
| Sophos. | | | | potentially reverse engineer the capabilities of the |
| I, and some of our professional services team, sprung | | | | malware. |
| to action to do what we could to help clean-up the | | | | In this instance, the controllers let the malware remain |
| threat, and assist with settings things right again. | | | | dormant on the workstation for eight days. They finally |
| The customer had a serious concern about data | | | | issued the bot instructions to recover data from the |
| having been stolen by this bot once SophosLabs | | | | users Internet Explorer data and network connections |
| provided us with an analysis of the threat, and it being | | | | established from the computer. |
| a weekend wanted as much information about the | | | | It reported back the usernames, passwords, and |
| extent of damage this trojan/worm may have caused | | | | cookies stored in the browser, and the names of all |
| before the start of business on Monday. | | | | the network shares accessed by the user since the |
| I spent the better part of the weekend with the | | | | deployment of Windows on their computer. It is not |
| customer performing a forensic analysis of the | | | | entirely clear, but the data appears to have been |
| malware's activity and I thought I might share with you | | | | encrypted before having been submitted to the |
| some detail on how Troj/QBot-B operates. | | | | attacker. |
| In this case, the initial infection appeared to occur from | | | | The machine was also instructed to spread via file |
| downloading a malicious PDF file and exploiting a | | | | shares throughout the network and perform the same |
| vulnerability in Adobe Acrobat Reader on one user's | | | | activities on other machines within the environment |
| computer. It dropped an EXE file in the C:\Windows | | | | creating a rather large mess. It is unclear which exploits |
| folder that was named _qbotxxxxxxx.exe (x's are | | | | it used during its spread, but it involves connecting to |
| random characters, and the file is detected by Sophos | | | | the IPC$ share, likely taking advantage of vulnerabilities |
| Anti-Virus as Troj/Qbot-B). | | | | in the WIndows Server service. There are more |
| Approximately one hour later the virus attempts to | | | | details to this story, but this article is running a bit long. |
| contact two different URLs to update itself (q1.dll) and | | | | My primary motive for sharing this story is the |
| potentially receive instructions (URLs blocked by the | | | | importance of deploying multiple layers of protection to |
| Sophos Web Appliance more than one week prior to | | | | protect your important data, and ensure the integrity of |
| infection). Upon receiving the updated DLL file it | | | | your environment. |
| creates a directory C:\Documents and Settings\All | | | | With Sophos products alone, we had four or more |
| Users\_qbothome and begins storing files there. | | | | opportunities to prevent the exposure of sensitive |
| It appears to contain a userland rootkit as Windows | | | | information with Anti-Virus, Web Security, NAC, and |
| Explorer is unable to see this folder or its contents, yet | | | | Client Firewall solutions. |
| making a network connection to C$ or browsing from | | | | As the threats mutate at ever faster rates it is more |
| a command prompt discloses the presence of these | | | | important than ever to ensure that your applications |
| files. Qbot installs itself as a service, and modifies | | | | and OS are up to date, data being retrieved from the |
| Windows registry entries to ensure its startup on | | | | internet is not poisoned, unauthorized applications are |
| system boot. | | | | not connecting to your computers, and of course |
| Qbot-B receives instructions, and returns information | | | | malware protection is up to date and preventing |
| about what it finds on your computers to remote | | | | malware from infecting your computers to start with. |
| hackers. | | | | As a security administrator, you need only break one |
| Because the malware as shipped doesn't take any | | | | link in this chain to prevent your organization from being |
| action, but contacts the net for new payloads or | | | | the next victim. |
| instructions, we refer to this as a dropper. Once this is | | | | |