Towering Qbot Certificates

New stolen digital certificates are used by the multi-purpose backdoor Qbot.

The criminals behind the Qbot trojan are certainly not inactive. As I mentioned in a blog post earlier this month, after a quiet summer we have seen a batch of new Qbot variants. An interesting fact is that the malicious binaries were digitally signed. The stolen certificate was issued to a company called Word & Brown and was later revoked by Verisign.

Yesterday, the virus-writers built a new variant of this multi-purpose backdoor. It uses a new packer, which is quite distinct from those used in previous releases. ESET’s scanning engine was able to detect the trojan heuristically.

These new samples are again digitally signed using a different certificate to the one used before. The current one was issued to Towers Watson & Co and at the time of this writing, we are working on having this certificate revoked.

ESET security software detects these versions of the trojan as Win32/Qbot.AY. A careful reader may have noticed that the detection name is the same as the one mentioned in my previous post. The reason for this is that, under-the-hood, yesterday’s update isn’t really a new variant. It’s the same malware, but a new packer (outer layer for avoiding detection) and a new digital certificate have been used.

Robert Lipovsky

Malware Researcher

Author Robert Lipovsky, ESET

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
27 Sep 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.