Trojan-PSW.Win32.Qbot.mk

Technical Details
Payload

Technical Details

This Trojan is designed to steal the user's confidential data, as well as providing a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is approximately 85 kilobytes in size. It is written in C.

Installation

During installation, the malicious program will extract from its body and create the following files:

%allusersprofile%\qbothome\qbotinj.exe
%allusersprofile%\qbothome\qbotnti.exe
%allusersprofile%\qbothome\alias_qbotnti.exe
%allusersprofile%\qbothome\qbot.dll 
%allusersprofile%\qbothome\msadvapi32.dll
%allusersprofile%\qbothome\q1.<rnd>

Where "<rnd>" stands for a random sequence of numbers.

Additional files may also be created in the above folder.

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan modifies the value of an existing autorun key in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

The key value is changed to

""%allusersprofile%\qbothome\
qbotinj.exe" "%allusersprofile%\qbothome\qbot.dll" /c "<original value>"

Where "<original value>" is the previous value of the key.

Propagation

The malicious program propagates over the local network by copying its files to the following folders on remote computers:

C$\Windows\q.dll
C$\Windows\q1.<rnd>
ADMIN$\q.dll
ADMIN$\q1.<rnd>

Payload

After launching, the malicious program regularly downloads and analyzes several configuration files from the following addresses:

http://www.cdcdcdcdc2121cdsf***.com/crontab.cb
http://www.cdcdcdcdc2121cds**fd.com/updates.cb
http://www.cdcdcdcdc2121c**fdfd.com/updates1.cb
http://www.cdcdcdcdc**21cdsfdfd.com/_qbot.cb

The malicious program's main function is to intercept the credentials entered in the web forms used to access online banking systems of such banks as:

• Wells Fargo Bank
• Bank Of America
• Key Bank
• PNC Bank
• Fifth Third Bank
• Regions Financial Corporation

To this end, the malicious program injects its dynamic-link library (qbot.dll) into the address space of the iexplore.exe process (i.e. the Internet Explorer browser).

In addition, the malicious program is capable of stealing the following information:

• User email accounts and passwords for Microsoft Outlook.
• MSN user ID’s and passwords.
• User credentials for various websites.
• Confidential data stored in Cookies.
• Users’ digital certificates.

The data stolen is sent to the attacker's FTP servers, whose addresses the program reads from a configuration file.

The program also uses the configuration file to get the address and channel number for an IRC (Internet Relay Chat) server which the cybercriminal subsequently uses to control the infected computer.

The cybercriminal can use IRC to gain access to the computer’s file system, as well as to install and run other malicious software on the computer. The attacker can also send a command that removes the malicious program from the computer.

The program regularly downloads updates from the following address:

http://nt0***.cn/cgi-bin/jl/jlo**der.pl

It also sends the attacker the following data: computer name, IP address, geographic location, operating system version and system time. The data is sent to the following address:

http://boogie****ekid.com/cgi-bin/cli**tinfo3.pl