Fast-mutating Qbot malware plays hide and seek with AVs

Analysis by security vendor BAE Systems has confirmed that an updated version of the Qbot or Qakbot malware that downed IT systems at Melbourne Health in January and February this year would have been almost undetectable by antivirus utilities.

Qbot first emerged in 2009, but a new variant of the malware struck Melbourne Health in January this year, and turned out to almost impossible to eradicate due to its ability to change itself to avoid detection.

BAE confirmed that the Qbot has been carefully designed to fly under the radar and hide from AV tools.

"The server-based polymorphism used by Qbot allows it to largely avoid AV detection. Typically, out of 55 AV vendors, only a couple of reputable AV vendors are reliably able to detect Qbot - or to be specific, generically detect its external decryptor," the BAE researchers wrote.

The Qbot updates itself every day or two with a new version. This prevents AV utilities which have added detection for existing Qbot variants from identifying the freshly mutated malware.

The virus protects itself with a complex run-time encryptor, with its application programming interfaces and alphanumerical strings inside the binary code scrambled as well, BAE said.

Qbot also contains bugs that cause infected PCs running Windows XP to crash and not restart. Ironically, this incompatibility with older Windows versions allowed the malware to be detected, when technicians were alerted to its presence because computers refused to start.

Once running in the memory of infected systems, Qbot tests network connection speeds and attempts to forward login credentials for email programs, remote desktop, and other utilities cached on Windows, to attackers command and control servers with randomly generated domain names.

The malware can also intercept sensitive user information such as internet banking session data, and send these to attackers. Australian banks are however not targeted by Qbot currently, as they are not listed in the malware.

BAE's telemetry show that English-speaking countries were the hardest hit by Qbot. The United States accounted for the vast majority of Qbot attacks, with 61,665 recorded, followed by Canada (3426) and the UK (1773).

Australia was the sixth-most Qbot infected country with 384 cases registered. BAE used internet protocol address geolocation to determine where Qbot victims are in the world.

Attackers target mainly universities and high schools with the malware, but also healthcare providers and businesses. Qbot spreads via the compromised websites using malicious Javascript and the Rig Exploit Kit to deliver the malware to users' systems.

Some 54,500 Windows PCs have been hit by Qbot around the world so far.