W32.Qakbot - What You Should Know

Tom172

Tom172

Level 1
Thread author
Feb 11, 2011
1,009
W32.Qakbot is a pretty serious piece of malware that’s been doing the rounds since mid-2009. It is one of a family of threats that are consistently causing trouble, constantly being updated whenever new attack techniques or developments arise.
Click to expand...

article%20thumbnail



Read more
 
McLovin

McLovin

Level 78
Verified
Honorary Member
Malware Hunter
Apr 17, 2011
9,224
Nice find. I better watch out for this dangerous piece of malware.
 
MrXidus

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
"VmWare aware, deletes itself if a VM is detected." :( Darn it... I wanted to find this and give it a run for its money.
 
V

Vextor

So that's why when I tested it it failed to do anything. It's quite annoying :(
 
Tom172

Tom172

Level 1
Thread author
Feb 11, 2011
1,009
MrXidus said:
"VmWare aware, deletes itself if a VM is detected." :( Darn it... I wanted to find this and give it a run for its money.
Click to expand...

bbbbweb said:
So that's why when I tested it it failed to do anything. It's quite annoying :(
Click to expand...

From the Whitepaper

If Qakbot was not previously installed, the following operations take place.

Initially, Qakbot checks if it is running in a honeypot or a system it wishes to avoid, such as virtual machines.

If Internet Explorer is running in protected mode (by using the ieframe.dll!IEIsProtectedModeProcess), Qakbot will end.

If MS Office or Project or Citrix are installed, Qakbot assumes it is not in a honeypot and will not check if it is in a virtual machine.

Otherwise, the threat checks a variety of settings to determine if it is running within a virtual machine and if so, it informs the attacker through a HTTP POST query and terminates. Recent variants would use the URL hxxp://bgstat.in/6.

However, one exception exists where even if a virtual machine is detected, if the file “c:\irc.log” file exists, • Qakbot proceeds. This was likely used for the attackers own testing purposes.
Click to expand...

So if MS Office or Project or Citrix are installed in a VM, it will run apprently.

Yes, very interesting Malware. Quite old, but still going strong.
 
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Its like that Qakbot was mutated and the symptoms are dangerous.
 
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Thanks
Malware Analysis QakBot technical analysis (by Kaspersky)
Replies
0
Views
1,461
Malware Analysis
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • +Reputation
    • Sad
The Microsoft Surface Duo is in trouble (End of Life)
Replies
1
Views
579
News Archive
Ink
I
upnorth
    • +Reputation
    • Like
WhatsApp “ Zero-Day Exploit ” News Scare - What You Need to Know
Replies
0
Views
655
News Archive
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top