The Return of Qakbot

Together with João Gouveia of AnubisNetworks, and using their real-time feeds, I’ve been looking at Qakbot, a piece of malware that was huge in 2011 and had since disappeared off the radar.
We found that Qakbot is still active and there are at least 20,000 infected devices. The command and control protocol has progressed from version 2 back in 2011 to version 8 today. We cracked the obfuscation used in earlier protocols, but are still struggling with version 8, which appears to use encryption rather than obfuscation.
I tried a large number of obvious and slightly less tricks to crack the protocol (including RC4, which I didn’t mention in the blog post), but so far to no avail. If anyone has any suggestions on how the encryption might work, we are of course happy to learn of it.
Still, I am quite content with the research we did, which will hopefully contribute to the knowledge of and the fight against Qakbot. The blog post is here. (NB the original blog post is not available any longer; an archived version can be found here.)

One reply on “The Return of Qakbot”

Leave a Reply

Your email address will not be published. Required fields are marked *