{
	"id": "f95b343c-d81e-420e-b24d-bebded38caec",
	"created_at": "2026-04-06T00:18:43.597058Z",
	"updated_at": "2026-04-10T13:12:47.486716Z",
	"deleted_at": null,
	"sha1_hash": "8de360023e620b76afb5f350ef7498c03bc6371b",
	"title": "Qakbot, Data Thief Unmasked: Part II",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46884,
	"plain_text": "Qakbot, Data Thief Unmasked: Part II\r\nArchived: 2026-04-05 13:36:10 UTC\r\nTheft\r\nAs we discussed in Part I, the primary purpose of Qakbot is to steal information from the compromised computer.\r\nIn addition to targeting login details for FTP, POP3 and IMAP, the worm also attempts to steal Cookies - not only\r\nregular browser session cookies but also Flash cookies. A discussion of Flash cookies is beyond the scope of this\r\narticle, but be aware that unlike traditional browser cookies, Flash cookies are not controlled through the cookie\r\nprivacy controls in a browser which means they cannot be cleared or deleted in the simple manner that normal\r\ntracking cookies are removed.\r\nQakbot uses several techniques to collect private keys from the system certificates contained on the compromised\r\ncomputer. First, it replaces all certificate-related dialog boxes so that the “OK” button is automatically pushed as\r\nsoon as the dialog is created. As a result, the user will never see the “OK” button. It also prevents all message\r\nboxes from being displayed. Secondly, it hooks password input windows in order to steal any characters entered.\r\nThirdly, it patches the API CPExportKey to bypass security checks, and enumerates the private keys.\r\nIt also regularly sends out the geographical location and browser information of the compromised computer to a\r\npre-defined URL as below. All traffic between the compromised computer and the Qakbot command \u0026 control\r\nservers is encrypted using SSL.\r\n  status_info_blurred.jpg\r\nUpdate\r\nQakbot has functionality to download updates to itself in several different ways.\r\nIt downloads we.js as %System%\\sconnect.js if 18000 seconds (5 hours) has passed since the last update. Upon\r\nsuccessful download of sconnect.js, Qakbot adds a scheduled task to the compromised computer that executes\r\nsconnect.js as %Windir%\\Tasks\\[RANDOM NAME].job (defined as “instwd” in .cb files). The task itself is\r\nvisible in the scheduled tasks window and is set to run every 4 days, despite the fact that the task actually renews\r\nitself every 5 hours. It then downloads q1.dll as %Temp%\\msvcrt81.dll and q2l.jpg as %Temp%\\drwatson.exe and\r\ninstructs drwatson.exe to inject msvcrt81.dll into the running process iexplore.exe, effectively updating the\r\ninstance of itself masquerading in memory as iexplore.exe.\r\nQakbot also downloads .cb files containing configuration information. The .cb files are encoded by Exclusive OR\r\nand Rotation of bytes and are decrypted by _qbot.dll.\r\n  Screenshot_qbot.cb_edited.dec_.PNG\r\nAs shown above, the .cb files contain a list of FTP sites that seclog.txt (which contains the stolen information) is\r\nto be uploaded to as well as username and password for each FTP site. Notably, if the configuration “cleanup”\r\nexists, Qakbot executes the command listed directly following the semicolon in the configuration \"startup\". It\r\nhttps://web.archive.org/web/20110406012907/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii\r\nPage 1 of 2\n\ncreates the file \"uninstall.tmp\", which commands _qbotinj.exe to remove Qakbot from the compromised\r\ncomputer.\r\nWhile we wouldn’t exactly recommend it as an effective means of removing the threat from a compromised\r\ncomputer, it was interesting to note during our testing that simply creating a blank text (.txt) file in the Qakbot\r\ndirectory and renaming it to \"uninstall.tmp\" was enough to trigger the uninstall routine upon rebooting. Several\r\nseconds after restarting the computer, Qakbot deleted its own directory and all files therein. It then required a\r\nsecond reboot to remove the threat process in memory that was responsible for the file/folder removal, and\r\nalthough the scheduled task and registry entry remained, as there were no longer any files to call the threat was\r\nessentially neutralized.\r\nQakbot also regularly updates the .cb files with the status of the threat such as install time, run class (e.g. user,\r\nadmin, win98) and several other pieces of information.\r\nDefense\r\nAnd there you have it. A brief look under the hood has shown how the W32.Qakbot worm uses existing, legitimate\r\nprocesses to hide behind resulting in an enhanced ability to bypass security checks as well as detection by the\r\nuntrained eye. That it contains the mechanics to update itself, essentially allowing the author to reconfigure its\r\nfunctionality within the limits of its defining parameters as he or she sees fit. How it attempts to spread over\r\nnetwork shares, and how it tries to maintain control of the system it has compromised while simultaneously\r\nattempting to avoid detection.\r\nNetwork administrators will hopefully find some of the information useful in helping protect their environment, or\r\nin the worst case scenario at least aid in determining that machines on their network may be infected with Qakbot.\r\nUnexpected FTP traffic, scheduled tasks with “qbot” somewhere in the task name, machines madly attempting to\r\nenumerate network shares, registry keys containing the letters “qbot” (although note the default registry editor\r\nprobably won’t be useful here), Internet connections to destination ports between 16666 and 16669 (again, the\r\nlocal TCP table will be hidden so use some other means to monitor this) and other telltale signs should all be\r\nwatched for.\r\nIt is obvious someone has gone to a good deal of effort to get their hands on certain aspects of our private\r\ninformation. The least we can do in return is defend ourselves to the best of our ability to prevent them from\r\nsucceeding. Keeping our security software up-to-date is only one of the tools in our arsenal.\r\nA big thanks to Masaki Suenaga and Takayoshi Nakayama for their analysis.\r\nSource: https://web.archive.org/web/20110406012907/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii\r\nhttps://web.archive.org/web/20110406012907/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20110406012907/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii"
	],
	"report_names": [
		"qakbot-data-thief-unmasked-part-ii"
	],
	"threat_actors": [],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8de360023e620b76afb5f350ef7498c03bc6371b.pdf",
		"text": "https://archive.orkl.eu/8de360023e620b76afb5f350ef7498c03bc6371b.txt",
		"img": "https://archive.orkl.eu/8de360023e620b76afb5f350ef7498c03bc6371b.jpg"
	}
}