Since Qakbotâ€™s beginning, the user-mode rootkit component has been a central protection and information-stealing mechanism. Originally, the Qakbot rootkit code was based on the NTIllusion rootkit, which appeared in a July 2004 edition of an e-zine written and read by hackers. The user-mode rootkit hooks several functions and allows the bot to control data returned by system APIs to each of the programs on the system. There are several hooks that provide the ability to steal URLs, data, and cookies from a userâ€™s web transactions, including HTTPS-protected transactions.
The APIs that are hooked by the Qakbot rootkit include:
Table 3 List of APIs hooked by Qakbot
Click on the Image to Enlarge
The modern versions of Qakbot use Windows NetBIOS APIs to enumerate all nearby servers that can be accessed via a hidden, administrative share. Upon finding one, Qakbot copies the NBS component (see Table 2) to the remote server, creates a service, and starts that service on the remote computer. The NBS component then downloads a new package of executables and begins the infection on the remote computer.
Qakbot also seeks HTML, PHP, ASP, PL and CFM files through FTP, and then infects those files with a link to the first stage loader on the Internet. This technique has been known to infect users from their own internal web servers.
Information Theft and Exfiltration
As stated in the What is Qakbot? section on page 5, the primary objective of Qakbot is to steal data.
Qakbot downloads configuration files that contain instructions on what to steal. These instructions are then loaded into the main binary, and stolen data is written to files containing the string â€˜seclogâ€™. These files are then copied onto FTP servers that are also defined in the configuration files. In more recent versions of the threat, Qakbot will first obfuscate the files before sending them; this obfuscation algorithm has been through several revisions in the past few years. The most recent versions use a form of compression, however no encryption of any sort has been applied.
The information that Qakbot steals includes:
- Records of all keystrokes, including process names
- POP3, FTP, IMAP, and IRC credentials
- All browser cookies (both traditional and Flash-based cookies)
- Cryptographic certificates
- Outlook account information (including credentials)
- Cached browser credentials
- Internet account manager settings
- Windows LiveÂ® ID account details
- Specific URL credentials
POP3, FTP, IRC, and IMAP credentials are stolen by hooking recv and WSARecv, and then filtering to select packets containing strings relevant to authentication within those protocols. For example, the rootkit component will seek out packets containing â€œUSERâ€ and â€œPASSâ€ in order to steal FTP passwords.
Qakbot indiscriminately steals all browser cookies, including Flash-based cookies located in the following directories:
- %UserProfile%\Application Data\Macromedia\Flash Player\#SharedObjects
Qakbot steals certificates by patching Windows APIs in system DLLs to circumvent security checks and also suppresses security dialogs, which circumvents all user interaction required to verify and export accessible private keys. For details, see the Rootkit section on page 16. Â
Web traffic to and from high-value domains are identified by a configuration file that Qakbot updates periodically. Qakbot saves data from these domains in a separate data file. Having a separate data file could enable the controllers to avoid having to filter through multiple keystroke logs in order to find credentials to specific sites they are interested in.Top of Page