Today, we’re releasing a Microsoft Malware Protection Center Threat Report on Qakbot as a follow-up to the recently-released Microsoft SIRv10 and our special report on Battling Botnets in late 2010. This report focuses on one botnet in particular, Qakbot. Qakbot is a backdoor that includes user-mode rootkit functionality to hide itself and also steal sensitive user data from infected machines.
In addition to some of the interesting traits of Qakbot, such as the areas of the world where it’s most prevalent and the types of computers it targets, we found one particular aspect to be quite interesting – where the Qakbot authors may have gotten some of their code.
We have long suspected that the Qakbot authors were taking code samples from the Internet and incorporating them into their malware as the family evolved. Recently, while reviewing some of the earliest samples of Qakbot, we found something interesting: NtIllusion debug strings.
NtIllusion is a rootkit that was first disclosed in an article within the underground security zine called Phrack in July of 2004. It includes functionality to hide processes, files, registry entries, and evidence of TCP/IP communication. It hooks several network communication APIs in order to steal POP3 and FTP passwords. This code still appears in Qakbot today.