Possible new Remote Control Trojan with Rootkit? Qbot

Discussion in 'malware problems & news' started by outofideas, Dec 1, 2006.

Thread Status:
Not open for further replies.
  1. outofideas

    outofideas Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    3
    This little parasite somehow made it onto one of my systems 2 days ago. I found it this morning when one of it's programs crashed as I closed an Internet Explorer window.

    It installed itself into Documents and Settings\All Users\_qbothome
    contents of the directory were:
    8/10/2005 0:47 1,505 R__A________ cert.pem
    11/29/2006 22:39 728 R__A________ crontab.cb
    11/30/2006 21:10 34,304 R__A________ msadvapi32.dll
    11/30/2006 21:10 3,410 R__A________ ps_dump_xyz
    11/30/2006 21:10 3,412 R__A________ ps_dump_xyz.cb
    11/30/2006 21:10 28,160 R__A________ q1.32585
    12/01/2006 9:13 1,184 R__A________ seclog.cb
    12/01/2006 8:42 1,184 R__A________ seclog.txt
    11/30/2006 21:10 376 R__A________ si.cb
    11/30/2006 21:10 373 R__A________ si.txt
    11/29/2006 22:39 432 R__A________ updates.cb
    11/30/2006 21:10 160 R__A________ updates1.cb
    11/30/2006 21:10 596 R__A________ _qbot.cb
    11/29/2006 21:09 48,640 R__A________ _qbot.dll
    11/23/2006 5:09 6,656 R__A________ _qbotinj.exe
    12/01/2006 10:34 43,520 R__A________ _qbotinj.opt
    11/30/2006 21:10 20,480 R__A________ _qbotnti.exe
    11/30/2006 21:10 0 R__A________ _qbot_installed

    There was a rootkit involved(I'm guessing _qbotnti.exe) as I could not see any of the _* files or directories while the system was up. Though they showed up just fine with a Knoppix Boot CD.

    The _qbotinj.exe was the program that crashed letting me know something was up. I think it's primary purpose is to sniff passwords typed into internet explorer. The _qbotinj.opt is from Visual Studio when I hit debug when it crashed, saving the project workspace is what finally let me know where the heck it was since nothing else could find a _qbotinj.exe anywhere on the system.

    qbot.dll once un-upxed has a bunch of strings that seemed to indicate it was a remote control trojan of some sort maybe via IRC.

    ps_dump_xyz contained account info and passwords that I think were extracted from outlook express. I quickly changed them, from another computer, along with every other important password that came to mind. What a pain.

    seclog.txt had various search strings I had typed into Internet Explorer. I do most of my browsing with Firefox so it wasn't nearly as bad as it could've been.

    si.txt had system info, computer name, user name, external IP, internal IP, etc.

    I'm assuming the contents of those 3 files all got sent off somewhere.

    Searching on google for the various filenames and strings didn't turn up anything allowing me to identify it. I don't know how it got installed. I'm guessing an exploit in IE, or possibly Firefox or Thunderbird, since those are the 3 main programs I use on that PC that access the net.

    Other notes of interest:
    The sysinternals Rootkit Revealer could not find it at all, but F-secure's BlackLight managed to find all the files. Both were run while the system was up, with the ethernet cable pulled.

    Once I knew the _qbothome directory existed, I could cd into it at a command prompt and list/view all the files except the ones that started with an underscore.

    Has anyone seen this before? I restored the PC from a backup, but I still have a copy of the files. Is there a good place to send them off to if this is new?
     
  2. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    I am sure that NSClean would be interested in your files. Send an email with a header that says "possible new rootkit", or something similar to:

    support@nsclean.com
     
  3. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Hi outofideas,
    sending them to all the addresses listed in link below on IBK's post would be good as nearly all AV's would get a look at them:

    https://www.wilderssecurity.com/showthread.php?p=758597#post758597

    Londonbeat
     
  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi outofideas

    Great catch ;)

    If possible could you please upload the files as a joblot(Zipped & password= infected) to unknown/suspect files at MIRT forum(Link in signature).
    This would help with mass escalated submission to antimalware vendors and hopefully get you some feedback on what you have captured :)
     
  5. outofideas

    outofideas Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    3
    Thanks all, that's pretty much exactly what I was looking for. It's been sent to the AV company email addresses and the MIRT forum.

    I also had www.virustotal.com analyze the files, very neat service. A few picked it up, I'm guessing with heuristics.

    Complete scanning result of "_qbothome.zip", received in VirusTotal at 12.02.2006, 21:26:50 (CET).

    Antivirus Version Update Result
    AntiVir 7.2.0.46 12.02.2006 HEUR/Malware
    Authentium 4.93.8 12.01.2006 no virus found
    Avast 4.7.892.0 12.01.2006 no virus found
    AVG 386 12.02.2006 no virus found
    BitDefender 7.2 12.02.2006 DeepScan:Generic.Malware.SI!dldg.184D850C
    CAT-QuickHeal 8.00 12.02.2006 no virus found
    ClamAV devel-20060426 12.01.2006 no virus found
    DrWeb 4.33 12.02.2006 DLOADER.IRC.PWS.Trojan
    eSafe 7.0.14.0 11.30.2006 suspicious Trojan/Worm
    eTrust-InoculateIT 23.73.74 12.02.2006 no virus found
    eTrust-Vet 30.3.3225 12.01.2006 no virus found
    Ewido 4.0 12.02.2006 no virus found
    Fortinet 2.82.0.0 12.02.2006 suspicious
    F-Prot 3.16f 12.01.2006 no virus found
    F-Prot4 4.2.1.29 12.01.2006 no virus found
    Ikarus 0.2.65.0 12.01.2006 no virus found
    Kaspersky 4.0.2.24 12.02.2006 no virus found
    McAfee 4909 12.01.2006 no virus found
    Microsoft 1.1804 12.02.2006 no virus found
    NOD32v2 1897 12.02.2006 no virus found
    Norman 5.80.02 12.01.2006 no virus found
    Panda 9.0.0.4 12.02.2006 Suspicious file
    Prevx1 V2 12.02.2006 no virus found
    Sophos 4.12.0 12.02.2006 Mal/Behav-010
    Sunbelt 2.2.907.0 11.30.2006 no virus found
    TheHacker 6.0.3.127 12.01.2006 no virus found
    UNA 1.83 12.01.2006 no virus found
    VBA32 3.11.1 12.01.2006 no virus found
    VirusBuster 4.3.15:9 12.02.2006 no virus found
     
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
  7. OCT

    OCT Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    2
    I just completed the removal of this particular rootkit on a client's computer, I'd have to say it's one of the nastiest little pieces of work I've come across to date. Hijackthis found it's entry while in safe mode, and the removal simply involved deleting it's folder (also while in safe mode).
    All the suspect files are as outofideas posted earlier: same location and folder name.

    The effects of this rootkit were quite apparent:
    -Internet Explorer 6 (not version 7) would continually stop responding with 99% CPU utilization.
    -Outlook Express would stop responding while viewing some HTML based emails.
    -No windows updates would complete. (update.exe would reach 99% CPU utilization during this process)
    -Services.msc (the services console) would not start properly.
    -The process did not show itself in the task manager.
    -Some other programs would crash repeatedly upon start-up.

    Let me know if I should post/submit the suspect files.

    EDIT:
    I'm not entirely sure how my client managed to get this particular piece of malware, but they contacted me concerning it about the same time outofideas made his first post. They don't use Firefox or Thunderbird, so an exploit in either of these programs would be an unlikely cause of infection.
     
    Last edited: Dec 5, 2006
  8. MONA462

    MONA462 Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    1
    I found this on one of our computers. The amount of information it had in the PS_dump_* file was unbelievable. BEWARE. Credit card numbers, all places visited with everything - everyfield identified and logged.

    How do I get rid of it? Just delete the root? or is there something else that needs to be done?

    Thank you in advance
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi OCT

    If you could upload your batch of *Files* to unknown files @ MIRT,i will take a look at the MD5's and if yours are different repacks i can upload them to malserve list.

    TIA :)
     
  10. OCT

    OCT Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    2
    -Boot into safe mode by pressing F8 just before Windows starts
    -Browse to C:\Documents and Settings\All Users\ using Explorer
    -Delete all of the files in the suspect folder (_qbothome).
     
  11. maliwo

    maliwo Registered Member

    Joined:
    Dec 16, 2006
    Posts:
    2
    Hi,
    are you sure that this files are trojans ?
    only one place were I found information about this files is this forum ...
     
  12. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Absolutely *real* trojans !

    I've just uploaded the original files submitted to MIRT again to VirusTotal and Jotti service for fresh malware checking.

    There is widespread confimation of these being Backdoor/agent trojans(QBot).

    ~snipped virustotal results....Bubba~

    Aditional Information
    File size: 6656 bytes
    MD5: 269e8f92c140e9666789d532d2b814a5
    SHA1: 953b11f98a886dfc662659e85e8e4b2d1b4326ac
    packers: UPX
     
    Last edited by a moderator: Dec 16, 2006
  13. maliwo

    maliwo Registered Member

    Joined:
    Dec 16, 2006
    Posts:
    2
    ok, many thanks :)
     
  14. outofideas

    outofideas Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    3
    Update, I think I found the "dropper" for this trojan.

    When I was first infected I dug around in my browser caches trying to find where the trojan came from with no luck. Today I had the idea to let one of the now updated scanners try to find something in a backup I had made of "Documents and Settings" folder before I restored the machine.

    The first one I tried, the free Kaspersky online scanner, found a file jloader[1] in the IE cache that it identified as containing this trojan. Unupxed the file contains similar strings to some of the files that were installed in "Documents and Settings\All Users\_qbothome".

    The jloader[1] file is significantly smaller than a zipped up copy of the _qbothome directory. ~25k as opposed to ~100k. so I'm guessing it only installs part of the trojan which then downloads the rest from elsewhere.

    Following up each automated "incident report" type email I got from when I submitted this to all the AV companies would be a a bit of a pain. So, so far I've sent it up to the castlecops forum, submitted it to virustotal, and I sent a copy to the one AV company that mentioned it was unfortunate that my original submission didn't contain the "dropper".

    If any other AV companies would like me to send it to them directly post or PM me here on the wilder's forums.
     
  15. pjk1

    pjk1 Registered Member

    Joined:
    Dec 27, 2006
    Posts:
    1
    This is a very nasty Backdoor Trojan. I first was alerted of this by of all things clicking on a link for watches on the web. My Antivirus alerted me immediately of the thread and deleted the files on 12/12. All daily full scans showed no new threat. On December 24th while not on the computer my daily full scan found two infected qbot files and my antivirus blocked another which were all deleted again. I went in and deleted the whole directory and per some digging disabled my backup as one of them was found in a _restore file. The _qbothome was under my document and settings all_users folder . Today I found two more of its friends in my useraccout and local_user in the document and settings under a folder called _cognitas. This directory had the PM files with the info and when I tried to delete the folders said it was being accessed. .... I logged off ... pulled my cables and removed the directories... It appears that once it has your info and you clean it ... it keeps trying coming back ... also noticed symantec had two additional updates over the past few days ... none found this folder though.
     
  16. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    FYI - as of tonight's definition set (3156) SUPERAntiSpyware Free Edition and SUPERAntiSpyware Professional should detect and remove the actual harmful files of the QBot infection.

    The QBot infection "hooks" the user land side of the Windows API to avoid being located, so any scanner using the Windows API may not "see" the infected files - our Kernel Direct functions sidestep the Windows API and can see the files even after they are full installed and hooked.

    If you try it and it doesn't remove the infection, please let me know and I can analyze the files and post back the results.
     
  17. TheAbyss

    TheAbyss Registered Member

    Joined:
    Jan 23, 2007
    Posts:
    1
    Got him today - maybe yesterday.
    Was pure luck that i detected him - he slowed my PC down and i found him later thnx to you guys.
    Norton didnt find anything.

    So i downloaded SuperAntiSpyware - and the program found him too.
    So we will see if it can be removed.

    Is it actually possible for that trojan to send data through a firewall?
    Wouldnt he be detected and the firewall would ask if i wanna allow this?
     
  18. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    If we don't fully remove it, let me know and send in the samples to samples AT superantispyware.com and we will update our definitions.

    As far as trojans/rootkits, etc. so send "through" a firewall, yes it can easily be accomplished - they can have their own TCP/IP "stack" and communicate directly.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.