The operators of the Necurs botnet, best known for being one of the most prolific spam botnets of the past few years, have pushed out updates to its client, which provide some important lessons about why malware infections matter.
More on Virus Bulletin’s blog.
Together with João Gouveia of AnubisNetworks, and using their real-time feeds, I’ve been looking at Qakbot, a piece of malware that was huge in 2011 and had since disappeared off the radar.
We found that Qakbot is still active and there are at least 20,000 infected devices. The command and control protocol has progressed from version 2 back in 2011 to version 8 today. We cracked the obfuscation used in earlier protocols, but are still struggling with version 8, which appears to use encryption rather than obfuscation.
I tried a large number of obvious and slightly less tricks to crack the protocol (including RC4, which I didn’t mention in the blog post), but so far to no avail. If anyone has any suggestions on how the encryption might work, we are of course happy to learn of it.
Still, I am quite content with the research we did, which will hopefully contribute to the knowledge of and the fight against Qakbot. The blog post is here. (NB the original blog post is not available any longer; an archived version can be found here.)