MSRT December: If it quacks like a bot, it’s probably Qakbot.

This month, the MSRT team has added the Win32/Qakbot family of backdoors to its detections.  Qakbot is composed of several components, including a keylogger, a password stealer and a user-mode rootkit.  Qakbot is commonly distributed as the payload of what appear to be attacks, mainly targeted at enterprise installations.
Qakbot starts as a highly obfuscated JavaScript that downloads and runs an installer and user-mode rootkit.  At this point, Qakbot is hidden from the user while it downloads the rest of the Qakbot package.
Qakbot next gathers information and steals anything that it can find.  This includes login and password, banking information, user keystrokes and information about the local infection.  All of the gathered information is then encrypted into a custom log file, and uploaded to a remote server via FTP.
In addition to all of these capabilities, the Qakbot family also has the ability to update itself to make sure that it's running a recent version of the malware.
The Qakbot family has been getting a decent amount of press for its use in several high profile attacks.  We've been keeping close tabs on the malware, and we're happy to be adding it to MSRT this month.
You can do more to protect your Internet experience by running a full AV solution, such as Microsoft Security Essentials for real time protection. Download and install Microsoft Security Essentials from
Dan Kurc and Aaron Putnam

Comments (0)

Skip to main content