June 05, 2011
We recently received a computer that we believed to be infected with malware. The goal here was to be able to identify if there is any probable infection in the computer or if the computer has been compromised. Once the malicious content was identified our next step was to author the Network Inspection System (NIS) signature which can block the malicious communication. After we took the snapshot, we proceeded to check for any malicious dynamic link library files (dll) that could be getting injected into the processes.
As shown in the figure 1.0 the iuyqsel.dll seems to be malicious. The name is very unusual and the path from which it was getting injected into IE does not seem to be the normal system32 file path. As shown in figure 2.0 next step was to dump the dll and analyze the content in a debugger.
Once we started analyzing the malicious dll file, it became quite obvious that we are analyzing Qakbot malware. This fact was further confirmed by the log of the NIS signatures. We had pretty much all the NIS signatures to monitor the malicious communication. Qakbot is a well discussed malware and we do not plan to discuss the same information again.
However, while analyzing the code based upon the static analysis, I further realized that the file is making the http request with /cgi-bin/jl/ad03.pl?pv=2&d= in the uri. This appears to be some sort of downloader file. Another NIS signature was added to monitor this malicious communication. We are actively tracking and monitorig the malicious activity of Qakbot.
AlertLogic customers are protected against the exploitation of the the Qakbot.