W32.Qakbot - What You Should Know

[Tom172]

W32.Qakbot is a pretty serious piece of malware that’s been doing the rounds since mid-2009. It is one of a family of threats that are consistently causing trouble, constantly being updated whenever new attack techniques or developments arise.

Read more

 

[moonshine]

Hmm, A pretty dangerous piece of malware as I can say,

 

[McLovin]

Nice find. I better watch out for this dangerous piece of malware.

 

[MrXidus]

"VmWare aware, deletes itself if a VM is detected." Darn it... I wanted to find this and give it a run for its money.

 

[Vextor]

So that's why when I tested it it failed to do anything. It's quite annoying

 

[Tom172]

"VmWare aware, deletes itself if a VM is detected." Darn it... I wanted to find this and give it a run for its money.

So that's why when I tested it it failed to do anything. It's quite annoying

From the Whitepaper

If Qakbot was not previously installed, the following operations take place.

Initially, Qakbot checks if it is running in a honeypot or a system it wishes to avoid, such as virtual machines.

If Internet Explorer is running in protected mode (by using the ieframe.dll!IEIsProtectedModeProcess), Qakbot will end.

If MS Office or Project or Citrix are installed, Qakbot assumes it is not in a honeypot and will not check if it is in a virtual machine.

Otherwise, the threat checks a variety of settings to determine if it is running within a virtual machine and if so, it informs the attacker through a HTTP POST query and terminates. Recent variants would use the URL hxxp://bgstat.in/6.

However, one exception exists where even if a virtual machine is detected, if the file “c:\irc.log” file exists, • Qakbot proceeds. This was likely used for the attackers own testing purposes.

So if MS Office or Project or Citrix are installed in a VM, it will run apprently.

Yes, very interesting Malware. Quite old, but still going strong.

 

[jamescv7]

Its like that Qakbot was mutated and the symptoms are dangerous.