New stolen digital certificates are used by the multi-purpose backdoor Qbot.

The criminals behind the Qbot trojan are certainly not inactive. As I mentioned in a blog post earlier this month, after a quiet summer we have seen a batch of new Qbot variants. An interesting fact is that the malicious binaries were digitally signed. The stolen certificate was issued to a company called Word & Brown and was later revoked by Verisign.

Yesterday, the virus-writers built a new variant of this multi-purpose backdoor. It uses a new packer, which is quite distinct from those used in previous releases. ESET’s scanning engine was able to detect the trojan heuristically.

These new samples are again digitally signed using a different certificate to the one used before. The current one was issued to Towers Watson & Co and at the time of this writing, we are working on having this certificate revoked.

ESET security software detects these versions of the trojan as Win32/Qbot.AY. A careful reader may have noticed that the detection name is the same as the one mentioned in my previous post. The reason for this is that, under-the-hood, yesterday’s update isn’t really a new variant. It’s the same malware, but a new packer (outer layer for avoiding detection) and a new digital certificate have been used.

Robert Lipovsky
Malware Researcher


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s