Here is the information about the Qakbot with MD5 hash that CompanyB is dealing with.
From what I could read about on Symantec's website Qakbot takes advantage of 2 Microsoft Vulnerabilities and 2 Qucktime Vulnerabilties to elevate priviledges to administrative rights for installing of a rootkit.
security_response/writeup.jsp? docid=2009-050707-0639-99& tabid=2>
This threat is known to be spread by exploiting certain vulnerabilities. Installation of patches for the following vulnerabilities will reduce the risk to your computer.
- Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514)
- Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462)
- Apple QuickTime for Windows Remote Code Execution Vulnerability (BID 25913)
- Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability (BID 21829)
Vicki and I spent some time researching the virus to make sure that CompanyA wasn't vulnerable. After a couple of tries we found a still infected computer in CompanyB's Purchasing Department.
When Vicki and I got there we rebooted the machine into Safe Mode to see if we could run the approved removal tools that was distributed by CompanyB. As we were running the Symantec Removal tool, I went looking through the registry and file system looking for suspicious files. I found 4 lines under the HKLM/software/microsoft/
windows/currentversion/run key. Two entries were of applications that I was familiar with, one being Symantec's anti-virus and the other being a common driver or syncing software. The other two items looked suspicious at first because they pointed to c:\documents and settings\all users\application data\microsft\soihag\ but since I wasn't familar with all CompanyB's software, I assumed that they must be legitimate.
While searching through the file system, I double clicked on what I thought was a randomly named folder (Because the OS was hiding the extension for know filenames) when in fact it was a randomly named .exe's on the root of the drive (C:) At this time we were still off of the network and booted into the Safe Mode, but the next time I looked for the registry entry to look for specifics of the semi-suspicious files I was not able to find them. I believe at that time, there was a rootkit altering the system and everything else I learned was possibly compromised.
Before restarting into Normal mode, I deleted the suspicious folder c:\documents and settings\all users\application data\microsoft\soihag
Eventually I ended up deleting the entire Microsoft folder (c:\documents and settings\all users\application data\microsoft) assuming that Office or other applications could recreate the information. After rebooting a second time in Normal Mode. Symantec Antivirus gave us a dll warning. This is when I felt pretty confident that the virus was removed. Symantec then started rebuilding itself, it ran into not having the correct permissions to reinstall into c:\program files\common files\symantec shared. This furthered my confidence that we had given the virus a huge blow because the administrator account also didn't have the permissions necessary to view the file. After taking ownership of the directory and inheriting permissions, Symantec was able to be installed without any indication of infection.
The virus seems to difficult to uninstall consistently and effectively. Re-Imaging the 40 odd computers is a wise choice. Although I think you could have chosen to assign an Operating System from SCCM to automate some of the process. This would be a little difficult because those computers would have to be on the network during the time it took for the automated assigned task sequence to start.
CompanyA will probably not be vulnerable because of our Windows Update policies (the vulnerabilities were from 2003 and 2006 respectively) and administrative right policies. In fact I went back to CompanyA's McAfee reporting to see if we were hit by a variant of qakbot called pinkslipbot. We had 4 detections on 2 machines and all files were deleted.
Post a Comment