A data-stealing trojan under the microscope

Recently I had received a call to assist a potential customer with a virus outbreak in a segment of their network.

The victim had been using a competitor’s product, which unfortunately was not protecting them from the spread of this attack, and it was merely coincidence that this was discovered during their evaluation of Sophos.

I, and some of our professional services team, sprung to action to do what we could to help clean-up the threat, and assist with settings things right again. The customer had a serious concern about data having been stolen by this bot once SophosLabs provided us with an analysis of the threat, and it being a weekend wanted as much information about the extent of damage this trojan/worm may have caused before the start of business on Monday.

I spent the better part of the weekend with the customer performing a forensic analysis of the malware’s activity and I thought I might share with you some detail on how Troj/QBot-B operates.

In this case, the initial infection appeared to occur from downloading a malicious PDF file and exploiting a vulnerability in Adobe Acrobat Reader on one user’s computer. It dropped an EXE file in the C:\Windows folder that was named _qbotxxxxxxx.exe (x’s are random characters, and the file is detected by Sophos Anti-Virus as Troj/Qbot-B).

Approximately one hour later the virus attempts to contact two different URLs to update itself (q1.dll) and potentially receive instructions (URLs blocked by the Sophos Web Appliance more than one week prior to infection). Upon receiving the updated DLL file it creates a directory C:\Documents and Settings\All Users\_qbothome and begins storing files there.

It appears to contain a userland rootkit as Windows Explorer is unable to see this folder or its contents, yet making a network connection to C$ or browsing from a command prompt discloses the presence of these files. Qbot installs itself as a service, and modifies Windows registry entries to ensure its startup on system boot.

A text file used by Qbot-B to report back to its creators

Qbot-B receives instructions, and returns information about what it finds on your computers to remote hackers.

Because the malware as shipped doesn’t take any action, but contacts the net for new payloads or instructions, we refer to this as a dropper. Once this is installed on your machine, it can be instructed to do just about anything its controllers choose.

After downloading q1.dll, QBot makes a SOCKS proxy connection to another URL and attempts to join a IRC chatroom that is only accessible via an SSL connection from the SOCKS proxy. This makes it far more difficult for researchers to join the chatroom and potentially reverse engineer the capabilities of the malware.

In this instance, the controllers let the malware remain dormant on the workstation for eight days. They finally issued the bot instructions to recover data from the users Internet Explorer data and network connections established from the computer. It reported back the usernames, passwords, and cookies stored in the browser, and the names of all the network shares accessed by the user since the deployment of Windows on their computer. It is not entirely clear, but the data appears to have been encrypted before having been submitted to the attacker.

The machine was also instructed to spread via file shares throughout the network and perform the same activities on other machines within the environment creating a rather large mess. It is unclear which exploits it used during its spread, but it involves connecting to the IPC$ share, likely taking advantage of vulnerabilities in the WIndows Server service. There are more details to this story, but this article is running a bit long.

My primary motive for sharing this story is the importance of deploying multiple layers of protection to protect your important data, and ensure the integrity of your environment.

With Sophos products alone, we had four or more opportunities to prevent the exposure of sensitive information with Anti-Virus, Web Security, NAC, and Client Firewall solutions.

As the threats mutate at ever faster rates it is more important than ever to ensure that your applications and OS are up to date, data being retrieved from the internet is not poisoned, unauthorized applications are not connecting to your computers, and of course malware protection is up to date and preventing malware from infecting your computers to start with.

As a security administrator, you need only break one link in this chain to prevent your organization from being the next victim.