DIR ADVISORY

DIR ADVISORY-- W32.Qakbot Worm , Compromised FTP sites and Government Systems

DIR has been made aware of some FTP servers, located in the US and abroad that have received keystroke logging data files from infected systems.

W32.Qakbot, first identified in May 2009, is a worm that spreads through network shares. It downloads additional files, steals confidential information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence.  Most, if not all, updated Anti-Virus solutions prevent this year-old worm from infecting systems.

The worm spreads by exploiting vulnerabilities when a user visits certain Web pages. Exploit code hosted at these remote locations downloads the threat on to the compromised computer. Many of the infections are aided by users unwittingly clicking on malicious links. The worm also spreads through network shares by copying itself to shared folders when instructed to by a remote attacker.

While W32.Qakbot has multiple capabilities, its ultimate goal is clearly theft of information. W32.Qakbot is capable of gathering a number of different kinds of information, including the following confidential information:

• Authentication cookies, including Flash cookies
• DNS, IP, hostname details
• OS and system information
• Geographic and browser version information
• Keystrokes including login information
• Login details for FTP, IRC, POP3 email, and IMAP email
• Outlook account information
• Private keys from system certificates
• Login credentials for certain websites
• URLs visited

1.      PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.

1.1  Update and enable Anti-virus software

A first line of defense; organizations and users are encouraged to review the details outlined in this advisory, update anti-virus versions and definitions, and ensure that anti-virus software is actually enabled and working.

1.2 Patch Operating System and Software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by vendors.

This threat is known to be spread by exploiting certain vulnerabilities. Installation of patches for the following vulnerabilities will reduce the risk to your computer.

• Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514)
• Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462)
• Apple QuickTime for Windows Remote Code Execution Vulnerability (BID 25913)
• Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability (BID 21829)

1.3 User Behavior and Precautions
Users are advised not to open or execute files from unknown sources. It is also advisable to disable the execution of JavaScript in client applications to prevent execution of unwanted scripts.

Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.

1.4 Address Blocking
Block access to the following addresses using a firewall or router, or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:

• A[.]rtbn2[.]cn
• adserv[.]co[.]in
• c[.]rtbn2[.]cn

�         gator862[.]hostgator.com

�         ftp[.]5150[.]clanservers[.]com

• ftp[.]abid.co[.]cc
• ftp[.]buldrip.com
• ftp[.]dfarchs[.]com
• ftp[.]fantasyworldtravel[.]net
• ftp[.]successful-marketers[.]com
• hostrmeter[.]com
• nt002[.]cn
• nt010[.]cn
• nt202[.]cn
• up002[.]cn
• up004[.]cn
• uu002[.]cn
• w1[.]webinspector[.]biz
• web192[.]ixwebhosting[.]com
• www[.]cdcdcdcdc212121cdsfdfd[.]com
• www[.]cdcdcdcdc2121cdsfdfd[.]com
• zenpayday[.]com
• zurnretail[.]com

1.5 Network Port Blocking
Some of the vulnerabilities used to compromise computers have been known to use a TCP port between 16666 and 16669 to spread. Blocking this port range at the network perimeter may help to reduce the risk to your computer.


1.6 Network Shares
This threat is also known to spread inside networks by using shares. The following steps can help protect your computer against this threat:

• Users are advised to ensure that all network shares are only opened when they are necessary for use.
• Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital and lowercase characters, along with one or more symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.
• Disable the autorun feature to prevent dropped files from running automatically when a network drive is opened.

IMPORTANT:  If a state system has been determined to have been infected with this worm, please notify DIR Security immediately: dir.security@dir.state.tx.us

In a related action, DIRimplemented blocking of all traffic destined to the following IP addresses, as noted in an earlier NSOC Blocking Notice :

206.188.193.195

174.120.28.2

12.97.188.57

 62.204.145.206 

 66.55.132.6

Security Incident Reporting Instructions:

Note: The 24/7 emergency number for the Security Office is 512-350-3282.
The secondary contact is Kevin White, 512-463-7189 (office) or 512-762-3172 (cell).

For more information, visit: http://www.dir.state.tx.us/security/incidents/index.htm

DIR Security