Towering Qbot Certificates

New stolen digital certificates are used by the multi-purpose backdoor Qbot.

The criminals behind the Qbot trojan are certainly not inactive. As I mentioned in a blog post earlier this month, after a quiet summer we have seen a batch of new Qbot variants. An interesting fact is that the malicious binaries were digitally signed. The stolen certificate was issued to a company called Word & Brown and was later revoked by Verisign.

Yesterday, the virus-writers built a new variant of this multi-purpose backdoor. It uses a new packer, which is quite distinct from those used in previous releases. ESET’s scanning engine was able to detect the trojan heuristically.

These new samples are again digitally signed using a different certificate to the one used before. The current one was issued to Towers Watson & Co and at the time of this writing, we are working on having this certificate revoked.

ESET security software detects these versions of the trojan as Win32/Qbot.AY. A careful reader may have noticed that the detection name is the same as the one mentioned in my previous post. The reason for this is that, under-the-hood, yesterday’s update isn’t really a new variant. It’s the same malware, but a new packer (outer layer for avoiding detection) and a new digital certificate have been used.

Robert Lipovsky

Malware Researcher

Author Robert Lipovsky, ESET

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.