I. BACKGROUND:
On Thanksgiving weekend 2009, the threat landscape exploded with multiple global outbreaks of W32.Qakbot. That run lasted through January of 2010, and re-occurred 2011 and in 2013. Over the last few years, Symantec Security Response has written blogs on what you should know, it’s prevention, and explained why and what is being stolen. Since then, Qakbot has made many changes to how it spreads through an environment, and how it exfiltrates data. As of January 2016, a new run of Qakbot outbreaks have started to pop up.
II. THREAT DETAILS:
W32.Qakbot scans for mapped drives and attempts to spread to open shares and shares with common passwords. It then downloads a configuration file and, based on that, carries out its functions. In the past, Qakbot has used Autorun, scheduled tasks, open shares, and OS and plugin vulns to propagate.
The current campaign uses the following files:
- %UserProfile%\Application Data\Microsoft\[random_directory]\[random_name].dll
Encrypted configuration data. (not actually a DLL)
- %UserProfile%\ApplicationData\Microsoft\[random_directory]\[random_name].exe
A backup copy of the original file
- %UserProfile%\Local Settings\Temp\~[random_name].tmp
An empty tmp file
How it spreads:
- W32.Qakbot uses AutoPlay (autorun.inf) files to launch remotely. – Older versions
- W32.Qakbot copies itself to open shares
- W32.Qakbot copies itself to password protected shares with weak passwords
- W32.Qakbot’s current iteration does not appear to be using vulnerabilities, but this can change quickly
Quickly Appearing Variants:
Qakbot downloads new versions frequently to evade AntiVirus signatures. Each new wave has a list of domains and FTP accounts that it can reach out and download from.
Communication for the current Qakbot campaign:
- 50.87.150.203
- 69.195.124.60
- 181.224.138.240
- 162.144.12.241
- hxxp://oe.zagorai3lan.com
- hxxp://w.abcwd0.seed.fastsecureservers.com
- hxxp://homemadebody.247affiliatemarketing.com
- hxxp://autoparts.perksautocare.com
- hxxp://a.new-date-world.com
Symantec Endpoint Protection:
Antivirus Signatures:
- W32.Qakbot
- W32.Qakbot!gen1
- W32.Qakbot!gen10
- W32.Qakbot!gen2
- W32.Qakbot!gen3
- W32.Qakbot!gen4
- W32.Qakbot!gen5
- W32.Qakbot!gen6
- W32.Qakbot!gen7
- W32.Qakbot!gen8
- W32.Qakbot!gen9
Intrusion Prevention Signatures:
System Infected: W32.Qakbot Activity 10
Applying the 5 Steps of Virus Troubleshooting to a W32.Qakbot Outbreak
AKA
The Qakbot Battle Plan
Step 1. Identify the threat
- This means getting AV detection on any new (undetected) samples.
Step 2. Identify infected machines:
- Machines with Auto-Protect alerts should be scanned with up-to-date definitions.
- The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
- Traffic to known W32.Qakbot domains is a good indicator of a potentially infected machine.
- Protecting and managing fileservers is often the key to solving any outbreak scenario. - Unprotected NAS devices are at risk!
Step 3. Quarantine the infected/unprotected/under protected machines:
- Qakbot updates itself VERY quickly and that "unprotected server in the closet" will pull down an as-yet-undetected variant sooner or later, infecting the whole network once again.
- Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
- Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.
Step 4. Clean the infected machines:
- Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
- Don’t forget file servers. This bears repeating.
- Watch scan logs closely for indications of “Reboot required” or results that indicate a potential issue like “Quarantine failed”
Step 5. Prevent future outbreaks:
- AutoPlay is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well.
- An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
- Remove write-access on shares from users not needing this level of access.
- Maintain a strict patching regimen. Qakbot and threats like it often add new capabilities in response to new vulnerabilities.
- Infected customers should block the Command and Control (C&C) servers or they quickly will become re-infected with new variants.
- Once clean, upgrade to the newest version of SEP 12.1 with SONAR and Download Insight
- Review mailserver policies allowing
III. Questions and Answers
Q - How does this spread, once in the network?
A - Open shares. Closing these shares, removing infected machines from the network, or dropping infected machines to a quarantined subnet will keep this from spreading. Enabling Network AutoProtect will also help. Some variants use a limited Bruteforce password attack against network shares, and account lockouts can indicate an infected machine is trying to muscle it’s way in.
Q - How did this get into my network?
A – The current campaign seems to be relying on javascript-embedded emails, and stopping that kind of content at the mail gateway is solid step towards prevention. Because it relies on open shares though, the vector can just as easily be an infected portable drive or laptop introduced into the network.
Q - Will patching vulnerabilities help me stop this threat in my network?
A - No, vulnerabilities can be a door and the threat has already come in. These vulnerabilities should be patched ASAP (along with any other holes in the environment), but this will not counter an already-live infection.
Q - Why am I seeing so many variants of this threat?
A - The threat is being constantly repacked to avoid detection.
Q - I keep getting new variants of this threat on my protected, patched machine. Why?
A - Unprotected/Under-protected machines in the environment are actively downloading repackaged variants. If these machines have open shares in common with your otherwise protected machine, they are a direct conduit for repackaged variants. Alternately, there might already be an undetected Qakbot on that machine and a Loadpoint report should be collected.
Q - The write-up says May 7th, 2009. Will definitions on or after this date catch my W32.Qakbots?
A - Possibly, but probably not. Detection has been modified to include dozens if not hundreds of repackaged variants. For the spike in Qakbot activity in January 2016, new definitions needed to detect new variants have been released multiple times daily. For January 2016 we have already updated detection 32 times.
Q – Why aren’t you detecting or creating detection for all the files I submitted?
A – Qakbot uses an encrypted settings file that is named to look like a DLL. The file isn’t a .DLL and has no header and therefore can take no malicious actions in and of its self. Symantec does not create detection for the se settings files. Also, once the ISPs begin to filter and block the sites that Qakbot is using to its files, these sites will replace the Qakbot content of the files requested by the threat, with HTML to notify the user that the site has been closed.
If unsure, you can look at these files safely using a text editor to see what domain the files are coming from. Current AV products are not able to safely delete these files since there is nothing to distinguish them from legitimate files.
Q - Are there URLs and Domains I should be blocking at the firewall?
A - Yes. See Section II
Q - What about the scheduled tasks?
A - Older variants of Qakbot download .job files (scheduled tasks), in order to automatically launch the threat. While we haven’t seen any in the present run, it’s important to note that these files are not malicious but do indicate that the threat does, or did have access to one of the hosting sites. These should be deleted manually.
Q - What about Autorun?
A - New variants of Qakbot haven’t been using this, but several of the older variants do and the threat changes quickly. This can allow the threat to load directly into memory and thereby avoid AV detection. Auto play should be disabled either with a GPO or ADC policy, just in case.
Q – I’m no longer able to update SAV or SEP. Why?
A – New variants of Qakbot may block access to URLs of security companies like Symantec. They can also change permissions to “Program Files\Common Files\Symantec Shared”.
What W32.Qakbot is not:
- It isn’t a File Infector. W32.Qakbot is not infecting files and detected samples should be quarantined or deleted
- It isn’t magic. It’s easy to panic in an outbreak, but don’t let your imagination run away with you and let you attribute all unexpected behaviors to the malware. There is actually nothing unusual about this worm’s ability to spread. Its biggest feature is the number of variants it can quickly download into an environment.
- It isn’t gone. Historically, Qakbot has wrought havoc for a few months before going dormant, only to flare back up again. Stay vigilant. Once clean, strongly consider a full implementation of Sep 12.1.
- It isn’t a targeted attack. There are no indications that this campaign is a targeted attack, at this time.
IV. FIXTOOL SECTION
Q - Is there a fixtool geared towards the Qakbot variants found in 2016?
A - No. The fixtool that is currently posted was designed for variants from 2011. The currently supported versions of SEP are capable of remediation.
V. QAKBOT MITIGATION POSTURE
While the majority of our customers have a strong security posture and are relatively unfazed, some other environments have a more relaxed posture. It is these networks that Qakbot thrives.
If you're battling a seemingly-endless stream of Qakbot issues in a network, verify the following questions about your "Qakbot Mitigation Posture".
Note: This is not necessarily a checklist of everything you must do, but a way to understand where your environment may need to be scrutinized.
- Autorun / AutoPlay Disabled?
- Open File Shares Closed/Password Protected? Strong Passwords?
- All Unprotected machines removed from the network and queued for updates/cleaning/protection?
- Known Qakbot URLs blocked at the Client Firewall to prevent mobile machines from infecting other with a new variant?
- Qakbot URLs blocked at the Perimeter Firewall?
- SEP AutoProtect set to load at System Startup?
- SEP Network AutoProtect enabled?
- Qakbot Application and Device Control policy implemented?
Vulnerability Mitigation
- Windows and Internet Explorer
- Apple QuickTime up to date and patched
- Java and Javascript up to date and patched
VI. REFERENCES:
- W32.Qakbot - What You Should Know - Hon Lau
http://www.symantec.com/connect/blogs/w32qakbot-what-you-should-know - Qakbot, Data Thief Unmasked: Part I
http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i - Qakbot, Data Thief Unmasked: Part II
http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii