Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging threat on QAKBOT

    • Updated:
    • 5 Jul 2016
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 10.6
    • OfficeScan 11.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

WORM_QAKBOT or QAKBOT is a multi-component threat that remains prevalent since its first emergence in 2007. It continuously evolved to avoid easy detection on and removal from an infected system.

Early variants of this malware used constant file names which had the string “_qbot” in them. They utilized single layer of encryption for their configuration files. Later variants, however, set the configuration files' attribute to Hidden and used random names for their component files and folders. These also doubled their configuration files' encryption, which made them harder to decrypt and analyze.

QAKBOT's payloads include malware infection and information theft.

For further information on the previous version, WORM_QAKBOT variants that Trend Micro already detects, click here.

QAKBOT Infection Chain

Click image to enlarge.

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN VERSIONRelease Date
INFECTIONWORM_QAKBOT.SMOTOPR 12.3031/28/2016
INFECTIONWORM_QAKBOT.SMUWOPR 12.3152/3/2016
INFECTIONWORM_QAKBOT.SMUVOPR 12.3192/5/2016
INFECTIONWORM_QAKBOT.SMUXOPR 12.3292/9/2016
DYNAMICJS_QAKBOT.SM1OPR 12.3132/2/2016
DYNAMICLNK_QAKBOT.SMUVOPR 12.3132/2/2016
DYNAMICMal_QakbojOPT 12.3272/8/2016
DYNAMICMal_QAKBOT-10OPR 12.3592/22/2016
INFECTIONSWF_ANGLEREK.COPR 12.3232/8/2016

WRS Pattern (Malicious URL and Classification)

LAYERURLScoreBlocking Date
CLEAN-UPaecfdpuspicop{blocked}.biz:443DANGEROUS2/1/2016
CLEAN-UPhbjzvgyej{blocked}.org:443DANGEROUS2/1/2016
CLEAN-UPxsso{blocked}.aecfdpuspicop.bizDANGEROUS2/1/2016
CLEAN-UPyrkinsiwejn{blocked}.biz:443DANGEROUS2/1/2016
CLEAN-UPyuhjomyygtrbcr{blocked}.info:443DANGEROUS2/1/2016
CLEAN-UPxsso{blocked}.hbjzvgyej.orgDANGEROUS2/1/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDetectionPattern VersionRelease Date
DYNAMIC1913TOPR 15213/8/2016
DYNAMIC1913FOPR 15193/1/2016

DCT Pattern (System Clean Pattern)

LAYERDetectionPattern VersionReleased Date
CLEAN-UPTSC_GENCLEANLATEST DCT OPRBUILT-IN

Network Pattern

LAYERDetectionPattern VersionRelease Date
CLEAN-UPHTTP_QAKBOT_REQUEST-8RR 1.10149.007/30/2015
CLEAN-UPFTP_QAKBOT_REQUEST-2RR 1.10103.001/27/2015
 
Make sure to always use the latest pattern available to detect the old and new variants of WORM_QAKBOT.
Details
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternNetwork Pattern
OfficeScan10.6 and above








Update Pattern via web console
Update Pattern via web console








Update Pattern via web console



Update Pattern via web console
Update Pattern via Web console
Worry Free Business Security8.0 and aboveNot Applicable
Deep Security8.0 and aboveNot ApplicableUpdate Pattern via Web console
InterScan WebIWSVA 6.0 and laterNot ApplicableNot ApplicableNot Applicable
Deep DiscoveryDDI 3.0 and laterNot ApplicableNot ApplicableUpdate Pattern via web console
 
*Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations:

Blog

Threat Report

Premium
Internal
Rating:
Category:
Troubleshoot; Remove a Malware / Virus; SPEC
Solution Id:
1114059
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.