Microsoft Malware Protection Center today released a new “threat report on Qakbot” as a follow-up to the recently-released SIRv10.
“Qakbot is a backdoor that includes user-mode rootkit functionality to hide itself and also steal sensitive user data from infected machines.[…]We’ve long suspected that the Qakbot authors were taking code samples from the Internet and incorporating them into their malware as the family evolved. Recently, while reviewing some of the earliest samples of Qakbot, we found something interesting: NtIllusion debug strings,” informed MMPC.
“NtIllusion is a rootkit that was first disclosed in an article within the underground security zine called Phrack in July of 2004. It includes functionality to hide processes, files, registry entries, and evidence of TCP/IP communication. It hooks several network communication APIs in order to steal POP3 and FTP passwords. This code still appears in Qakbot today,” said the MMPC.
You can read more about Qakbot in the threat report by downloading it here.