Friday, May 20, 2011

Qakbot Outbreak and Removal

I recently had to deal with a large Qakbot worm outbreak. Qakbot's an information gathering nuisance. It appeared that there were three different variants of the worm. The problem was that it spread through the desktops and the servers through domain admins. This is likely because of domain admins logging into infected workstations.
  Unfortunately, the centralized AV was not fully deployed - and was sometimes out of date. The problem was magnified by the fact that the company is multi-site and fairly wide open, subnet wise.
  Apparently, Qakbot spreads through CIFS shares. It likes to push itself through the administrative shares and place executables to be run into the All Users directory. It then creates registry entries to start itself upon login.  It does annoying things like changing permissions on the AV program directories such that updates won't work. It then uses the credentials of the user to attack the administrative shares and (likely) remote registry service of other machines. This can be bad if you happen to be a domain admin, Anyway, the virus doesn't seem to work correctly on Windows 7 or 2008 for some reason.

  The biggest problem removing it was that we were not able to isolate segments of the network, and by logging on, you'd simply activate it, if the executables had already been placed.
  I figured out a simple way to clean up a machine remotely (do this at your own risk, of course. You may damage your system if you are not careful.):

  • 1. First, check out the administrative share of the machine:
        \\c$\documents and settings\all users\application data\microsoft

        The Qakbot worm creates a randomly named directory. Let's pretend our folder name was "gvcajscwxoq." I can't tell you exactly what it'll be called, but the name will be rather random and should have only one exe, two dlls, and maybe some .tmp or .dmp files.  So, we'd have a folder called:
      \\c$\documents and settings\all users\application data\microsoft\gvcajscwxoq
    There will be an executable and two DLLs witht the same name as the folder "gvcajscwxoq." There may be a few other tmp files. What you need to do is delete or rename the files to a different extension - like .vir.


  • 2. rename gvcajscwxoq.exe to gvcajscwxoq.vir.

  • 3. rename all the DLLs in that folder called "gvcajscwxoq" to another name.


    That works well enough if the virus isn't active on the machine. If it is, you'll need to kill the process remotely before logging in. I found a useful freeware commercial tool called Desktop Central:

    Desktop Central

    (note, I'm in no way associated with that company. I just found the tool to be useful.)


  • 4. Anyway, after installing the free edition on your local work station, launch the tool and launch "remote task manager"

    Provided it can connect to the infected machine, you should find the rogue process running as the same random  name of the folder you attempted to rename above. End that process (make sure it's the same random name!) Wait about 20-30 seconds and then try to rename the remaining files in the application data\microsoft folder. You should be able to. You probably can't rename the bad folder, yet.


  • 5. Now, you can log into the box. Run msconfig and look under the startup tab very carefully. The worm likes to append itself to a legitimate application's startup. For instance, if you had a network management suite gui that started up, like the Broadcom control suite, it might modify that entry to launch itself and then the Broadcom suite. You should find one entry with the gvcajscwxoq.exe file listed. I'd recommend removing that portion or just disabling the service. Be careful, you'll be disabling a program that normally starts for all users.



  • 6. Now that you've removed the threat, install/update your anti-virus. You may need to modify permissions for your AV software as Qakbot may have changed things. Check out your anti-virus vendor's help section; they may have a tool to change the permissions.
     

     I'd also recommend that all domain admins check out the administrative shares of boxes before logging into them. Remember from above:

    For Windows 2000-2003, XP, look in
    \\servername\c$\documents and settings\all users\application data\microsoft

    For Windows 2008, Vista, and Windows 7, try looking in c:\programdata\microsoft

    If you see a randomly named folder with an exe and two dlls in it, you'll need to cleanup the server before logging in.
  • No comments: