Backdoor: Win32/Qakbot.T

Backdoor: Win32/Qakbot.T
【外部リンク】
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FQakbot.T
Also detected as: Trojan/Win32.Qakbot (AhnLab), W32/Trojan.XBYW-8720 (Command), Trojan.Win32.Bublik.ctep (Kaspersky), winpe/Kryptik.CEIY (Norman), Crypt3.AMDJ (AVG), TR/Kazy.442004 (Avira), BackDoor.Qbot.222 (Dr.Web), Win32/Qbot.BH trojan (ESET), W32/Bublik.CTEP!tr (Fortinet), Trojan.Win32.Bublik (Ikarus), TROJ_SPNR.03J714 (Trend Micro),
Threat behavior
Installation

This threat can be installed by exploit kits, such as Sweet Orange. It can also spread using infected network and removable drives, such as USB flash drives. It installs a copy of itself on all accessible drives and network shares, using a random file name. The dropped copy can be run remotely.

The trojan is installed along with a dynamic link library (DLL) file that contains encrypted configuration data to %APPDATA%\Microsoft\<random folder name>\<random file name>. The folder and file names are the same, for example:

%APPDATA% \Microsoft\ypoplkc\ypoplkc.exe
%APPDATA% \Microsoft\ypoplkc\ypoplkc.dll
Registry modifications

The maware creates the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random value name>
With data: "%APPDATA%\Microsoft\<random folder name>\<random file name>"

The malware installs itself as a Windows service by modifying the following registry entries:

In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>

Sets value: "Type"
With data: dword:00000010

Sets value: "Start"
With data: dword:00000002

Sets value: "ErrorControl"
With data: dword:00000000

Sets value: "ServiceName"
With data: "<random service name>"

Sets value: "DisplayName"
With data: "Remote Procedure Call (RPC) Service"

Sets value: "DependOnService"
With data: "Dnscache"

In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>
Sets value: "ObjectName"
With data: "LocalSystem"

It also modifies the following registry entries to lower your Internet security settings:

In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\2
Sets value: "2500"
With data: dword:00000003

In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\3
Sets value: "2500"
With data: dword:00000003

The trojan can create a shortcut file in the Startup folder that links back to its copy.

Payload

Allows backdoor access and control

This threat contacts a remote server to receive commands from a malicious hacker. Once connected, the malicious hacker can command the trojan to do a number of things, including:

Collect information about your PC
Check for new malware version
Download and run files, such as a malware update
Login to FTP sites using stolen credentials
Download collected data
Detect which antivirus program you have on your PC
Detect whether it is running in a virtual machine and/or honeypot
Stop processes by process ID (PID) or string matching
Log keystrokes
Load a specified configuration file
Steal email user names and passwords
Steal POP3 and FTP credentials
Collect your cookies and digital certificates
Delete your cookies
Infect removable drives
Infect accessible network shares
Contact a SOCKs server
Steals your banking information

A malicious hacker can also tell the trojan to steal your online banking information. The trojan watches to see if you visit any URLs that include the following strings:

web-access.com
webcashmgmt.com
/achupload
/cashman/
/cashplus/
/clkccm/
/cmserver/
/corpach/
/ibws/
/payments/ach
/stbcorp/
/wcmpr/
/wcmpw/
/wcmtr/
/wires/
/wiret
access.jpmorgan.com
accessonline.abnamro.com
achbatchlisting
bankeft.com
blilk.com
business-eb.ibanking-services.com
businessaccess.citibank.citigroup.com
businessbankingcenter.synovus.com
businessinternetbanking.synovus.com
businessonline.huntington.com
businessonline.tdbank.com
cashproonline.bankofamerica.com
cbs.firstcitizensonline.com
chsec.wellsfargo.com
cmol.bbt.com
commercial.bnc.ca
commercial.wachovia.com
commercial2.wachovia.com
commercial3.wachovia.com
commercial4.wachovia.com
corporatebanking
cpw-achweb.bankofamerica.com
ctm.53.com
directline4biz.com
directpay.wellsfargo.com
e-facts.org
e-moneyger.com
each.bremer.com
ebanking-services.com
express.53.com
firstmeritib.com
firstmeritib.com/defaultcorp.aspx
goldleafach.com
iachwellsprod.wellsfargo.com
ibc.klikbca.com
iris.sovereignbank.com
itreasury.regions.com
itreasurypr.regions.com
jsp/mainWeb.jsp
ktt.key.com
moneymanagergps.com
netconnect.bokf.com
nj00-wcm
ocm.suntrust.com
onlineserv/CM
otm.suntrust.com
paylinks.cunet.org
premierview.membersunited.org
providentnjolb.com
scotiaconnect.scotiabank.com
securentrycorp.amegybank.com
securentrycorp.zionsbank.com
singlepoint.usbank.com
svbconnect.com
tcfexpressbusiness.com
tmcb.zionsbank.com
tmconnectweb
treas-mgt.frostbank.com
treasury.pncbank.com
trz.tranzact.org
tssportal.jpmorgan.com
wc.wachovia.com
wcp.wachovia.com
web-cashplus.com
webexpress.tdbank.com
wellsoffice.wellsfargo.com
If you visit one of these banking websites the malware can monitor the communication and capture your sensitive information, such as your user name and password.

Sends stolen data to a malicious hacker

This threat can send the information it collects from your PC back to a remote server via HTTP or FTP. We have seen it connect to the following servers:

85.114.135.19 using TCP/8080
213.239.202.52 using TCP/65400
Blocks access to security websites

The malware hooks several APIs to monitor system events related to its information stealing routines. It can then block access to some security-related websites. We have seen it hooks the following APIs:

advapi32.dll!RegEnumValueW
advapi32.dll!RegEnumValueA
dnsapi.dll!DnsQuery_A
dnsapi.dll!DnsQuery_W
iphlpapi.dll!GetTcpTable
iphlpapi.dll!AllocateAndGetTcpExTableFromStack
kernel32.dll!GetProcAddress
kernel32.dll!FindFirstFileA
kernel32.dll!FindNextFileA
kernel32.dll!FindFirstFileW
kernel32.dll!FindNextFileW
ntdll.dll!NtQuerySystemInformation
ntdll.dll!NtResumeThread
ntdll.dll!LdrLoadDll
wininet.dll!HttpOpenRequestA
ininet.dll!HttpOpenRequestW
wininet.dll!HttpSendRequestA
wininet.dll!HttpSendRequestW
ninet.dll!HttpSendRequestExW
wininet.dll!InternetReadFile
wininet.dll!InternetReadFileExA
wininet.dll!InternetWriteFile
wininet.dll!InternetCloseHandle
wininet.dll!InternetQueryDataAvailable
wininet.dll!HttpOpenRequestA
wininet.dll!HttpOpenRequestW
ws2_32.dll!connect
ws2_32.dll!send
ws2_32.dll!WSASend
ws2_32.dll!WSAConnect
user32.dll!GetClipboardData
user32.dll!CharToOemBuffA
user32.dll!TranslateMessage
We have seen it block the following security-related websites:

Agnitum
Ahnlab
Arcabit
Avast
Avg
Avira
Avp
Bit9
Bitdefender
Castlecops
Centralcommand
Clamav
Clearclouddns
Comodo
Computerassociates
Cpsecure
Defender
Download.microsoft
Drweb
Emsisoft
Esafe
Eset
Etrust
Ewido
Explabs
F-prot
F-secure
Fortinet
Gdata
Grisoft
Hacksoft
Hauri
Hautesecure.com
Ikarus
Jotti
KI7computing
Kaspersky
Malware
Mcafee
Networkassociates
Nod32
Norman
Norton
Panda
Pctools
Phishtank.com
Prevx
Quickheal
Rising
Rootkit
Sanasecurity
Securecomputing
Sophos
Spamhaus
Spyware
Sunbelt
Symantec
Threatexpert
Threatfire
Trendmicro
Truste.com
Update.microsoft
Virus
Webroot
Wilderssecurity
Windowsupdate