A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16147  by crazypctech2010
 Fri Oct 19, 2012 10:48 am
Hello, I hope I am not posting in the wrong place or broke any rules if I did I am sorry.

I am desperate for help. We have a network wide infection in a school district I work in. The infection was identified by Total Defense as Qakbot.KY.
Suddenly as of monday systems began to slow down. We then started to get alerts from the anti virus that JS/Qakbot.KS was being found. Upon looking at one of the computers it is hooking and injecting itself into the following services. The AV company is not finding the entire thing and it is evading even their latest definition builds.

svchost.exe, iexplore.exe, explorer.exe

It goes out to the internet to random remote servers. The variant of this changed 3 times yesterday according to Total Defense. All we can get them is the executables it is spawning.
It goes out through the network on port 445 querying other computers and infecting them.
it creates a folder located under C:\documents and settings\%username%\App Data\Microsoft\RANDOM 5 character folder
Inside this folder could be one or more executable files with at least one matching the name of the folder. It also will have two dll files named after that same executable with one bearing the name followed by 32.
It puts a process in Scheduled Tasks to Launch everyday at 9am (this is another executable file) located in C:\Windows\Temp



I have tried to run
Combofix - found nothing
Malwarebytes - Found nothing
TDSSKiller - found nothing
Rkill - found nothing

When I run GMER I do get two results of two or more malicious files residing in the C:\Windows directory marked as hidden some are just "library files" others include a process and service. When I try to go to the location with a Linux BootCD nothing is there to be found. I tried command lines for OTL, the command prompt and I cannot find the file either. I am sure their is a rootkit component as deleting these files in c:\documents and settings\%username%\app data\microsoft they are regenerated.

I have attached the executable and dll's along with GMER screenshot i hope that someone can shed some light on this
*WARNING I COULD NOT SET A PASSWORD FOR THE ZIPPED ARCHIVE, BUT THE ACTUAL FILES ARE BURIED 1 LEVEL BELOW THE ROOT FOLDER*
Attachments
pass: infected
(176.58 KiB) Downloaded 96 times
GMER RESULT.jpg
GMER RESULT
GMER RESULT.jpg (213.23 KiB) Viewed 1016 times
Last edited by EP_X0FF on Mon Mar 11, 2013 3:04 pm, edited 3 times in total. Reason: password added
 #16153  by EP_X0FF
 Fri Oct 19, 2012 12:33 pm
Hello,

this is user-mode rootkit with backdoor/stealer functionality. It hides itself from user by intercepting some key API functions. Process hidden by NtQuerySystemInformation hook, registry entry (this malware runs from HKCU\Software\Microsoft\Windows\CurrentVersion\Run) hidden with RegEnumValueA(W) hooks. Files located in (User Profile\Application Data\Microsoft\<random>) This malware may attempt to spread to open shares across a network, including the default shares C$ and Admin$. Additional files can be downloaded by this malware, so you may have bunch of trojans installed together. This malware may reinstall it hooks, reinfect system so better deal with it in offline mode. Or you may also try free Microsoft Safety Scanner. On my machine it successfully removed this infection.

Some screenshots comming soon.

Image
 #16154  by crazypctech2010
 Fri Oct 19, 2012 12:55 pm
Is Microsoft safety scanner the same as Microsoft security essentials ? I have tried Mse And it finds the file in the windows\temp directory but doesn't kill the rest which gmer is finding
 #16155  by EP_X0FF
 Fri Oct 19, 2012 12:58 pm
crazypctech2010 wrote:Is Microsoft safety scanner the same as Microsoft security essentials ? I have tried Mse And it finds the file in the windows\temp directory but doesn't kill the rest which gmer is finding
Yes it is the same. Remove any other AV/FW software from machine before scan. Gmer shows partial detection. Remove main malware component from User Profile\Application Data\Microsoft\<some random name>. If everything fail - do it in offline mode. There is nothing strong in this malware.
 #16156  by EP_X0FF
 Fri Oct 19, 2012 1:07 pm
Regarding to this dll. It does not exists, this is rootkit faked information. It uses NtResumeThread hook to propagate itself between processes. Main malware module is hidden process and it injects itself in all starting processes.

Password brute-force list from this malware
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,
pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,
7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,66666,6666,666,66,6,55555555,5555555,555555,55555,5555,555,55,5,
44444444,4444444,444444,44444,4444,444,44,4,33333333,3333333,333333,33333,3333,333,33,3,22222222,2222222,222222,22222,2222,
222,22,2,11111111,1111111,111111,11111,1111,111,11,1,00000000,0000000,00000,0000,000,00,0987654321,987654321,87654321,7654321,
654321,54321,4321,321,21,12,super,secret,server,computer,owner,backup,database,lotus,oracle,business,manager,temporary,ihavenopass,
nothing,nopassword,nopass,Internet,internet,example,sample,love123,boss123,work123,home123,mypc123,temp123,test123,qwe123,pw123,
root123,pass123,pass12,pass1,admin123,admin12,admin1,password123,password12,password1,default,foobar,foofoo,temptemp,temp,testtest,
test,rootroot,root,fuck,zzzzz,zzzz,zzz,xxxxx,xxxx,xxx,qqqqq,qqqq,qqq,aaaaa,aaaa,aaa,sql,file,web,foo,job,home,work,intranet,controller,killer,
games,private,market,coffee,cookie,forever,freedom,student,account,academia,files,windows,monitor,unknown,anything,letitbe,domain,access,
money,campus,explorer,exchange,customer,cluster,nobody,codeword,codename,changeme,desktop,security,secure,public,system,shadow,office,
supervisor,superuser,share,adminadmin,mypassword,mypass,pass,Login,login,passwd,zxcvbn,zxcvb,zxccxz,zxcxz,qazwsxedc,qazwsx,q1w2e3,
qweasdzxc,asdfgh,asdzxc,asddsa,asdsa,qweasd,qweewq,qwewq,nimda,administrator,Admin,admin,a1b2c3,1q2w3e,1234qwer,1234abcd,123asd,
123qwe,123abc,123321,12321,123123,James,John,Robert,Michael,William,David,Richard,Charles,Joseph,Thomas,Christopher,Daniel,Paul,Mark,
Donald,George,Kenneth,Steven,Edward,Brian,Ronald,Anthony,Kevin,Mary,Patricia,Linda,Barbara,Elizabeth,Jennifer,Maria,Susan,Margaret,
Dorothy,Lisa,Nancy,Karen,Betty,Helen,Sandra,Donna,Carol,james,john,robert,michael,william,david,richard,charles,joseph,thomas,christopher,
daniel,paul,mark,donald,george,kenneth,steven,edward,brian,ronald,anthony,kevin,mary,patricia,linda,barbara,elizabeth,jennifer,maria,susan,
margaret,dorothy,lisa,nancy,karen,betty,helen,sandra,donna,carol
 #16195  by crazypctech2010
 Sun Oct 21, 2012 9:20 pm
EP_XOFF,

You are incredible, Thank you so much for your help! I was able to manually remove it with your information. This thing has been spreading like wildwife. We cut the internet connection so it can no longer update or download any more malware. Sophos updated their definitions and can remove this threat automatically now.

I found that it has registry keys to run as a Legacy service in addition to the .exe it has and the dll files it comes with. It also places it in the startup folder and create a scheduled task to run the .exe located under the application data/micrsoft folder everyday at a specific time (i believe the time it is set to update can serve as a timestamp for when the machine became infected) i.e. it infects it at 11:34 AM the scheduled task runs everyday at 11:34 am

How did you get that information out of the dll ? Any recommndations for where to start learning how to do what you can do wth malware ? I don't know programming but I enjoy figuring out Malware. :D
 #16202  by EP_X0FF
 Mon Oct 22, 2012 3:29 am
crazypctech2010 wrote:How did you get that information out of the dll ? Any recommndations for where to start learning how to do what you can do wth malware ? I don't know programming but I enjoy figuring out Malware. :D
I ran it in isolated environment and did some system snapshots to reveal changes. Then compared code it injects into running processes with hidden process code. It turned to be the same. Memory dumps confirmed all. As for guides see http://www.kernelmode.info/forum/viewto ... f=2&t=1371
 #16235  by PX5
 Tue Oct 23, 2012 7:22 pm
If its truely a variant of qakbot, Im curious if you had windows show all hidden files, then venture into ?:\Windows\Task

If so, you very well may find some rogue job files which need deletion else in some 4 to 7 days, all cleaned machines will reinfect, general task time between execution on last variant I found was 7 hours.

It may well be worth your while to check a machine or two, do let me know what you find, please. ;)
 #18357  by AaLl86
 Wed Feb 27, 2013 9:18 am
Hi All!
I would like to share with this great board, a dropper of a trojan, called W32.Qakbot. It's not something new and clever, but it has a great network infection feature. Indeed is able to enumerate all network shares of a system, and copy itself in every C$ share of remote computers. Furthermore it seems that creates a remote service with the aim to infect remote PC.
Unfortunately I don't have much time to disassemble and analyze it...
Someone can help me to pinpoint Network infection code??

I hope that this could be interesting for some of you...

Regards,
Andrea

ps. If I miss any board rule, please forgive me! ;-)
Attachments
W32.Qakbot + Symantec Analysis
(1.17 MiB) Downloaded 101 times