How FBI remotely deleted QBot malware from 700K computers worldwide

The United States government said today that a multinational law enforcement operation has destroyed Qakbot, also known as QBot, an infamous botnet and malware loader that was responsible for losses that amounted to hundreds of millions of dollars all over the globe, and that they have confiscated more than $8.6 million in illegal cryptocurrencies.

During a news conference held on Tuesday to announce the takedown of the botnet, United States Attorney Martin Estrada referred to the investigation as “the most significant technological and financial operation ever led by the Department of Justice against a botnet.” Duck Hunt was headed by the FBI. For one thing, the federal government developed some software that, when installed on computers that were infected with Qbot, would make the virus useless.

Law enforcement agencies in the United States and other countries have worked together over the last three days to confiscate 52 servers that were being used to sustain the QBot network. With assistance from France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia, these agencies were successful in “preventing Qakbot from resurrecting to cause further additional harm,” as stated in the report.

The malware known as Qakbot is a classic example of a Windows-based botnet. Its operators trick people – typically through email attachments or malicious Microsoft Office documents – into downloading and running the software. Once installed, the software has the ability to retrieve and run additional payloads from remote servers. Additionally, the software communicates with remote servers to receive its orders to carry out. It may be used to backdoor affected machines, steal their passwords and record their keystrokes, drain payments from online bank accounts, and more. It is a Swiss Army knife of malicious programs.

According to an application for a seizure request that was made public by the Department of Justice, the FBI was able to acquire access to the Qakbot admin computers. This access assisted law enforcement in mapping out the server architecture that was employed in the operation of the botnet.

The Federal Bureau of study (FBI) came to the conclusion, based on their study, that the Qakbot botnet made use of Tier-1, Tier-2, and Tier-3 command and control servers. These servers are employed to send orders for devices to carry out, install malware upgrades, and download more partner payloads.

The Tier-1 servers are infected devices that have a “supernode” module loaded on them. These servers are a component of the command and control infrastructure of the botnet, and some of the victims are situated in the United States of America. Tier-2 servers are likewise command and control servers, however they are operated by Qakbot operators, often from leased servers located outside of the United States of America.

According to the information provided by the FBI, the Tier-1 and Tier-2 servers are both used in order to transmit encrypted contact with the Tier-3 servers.

These Tier-3 servers serves as the major command and control servers for the botnet, which allows them to provide new orders for infected computers to carry out, new malicious software modules for infected computers to download, and malware for infected computers to install from the botnet’s partners, such as ransomware gangs.

Infected devices carrying the Qakbot malware would, on average, interact with a built-in list of Tier-1 servers once every one to four minutes in order to establish encrypted contact with a Tier-3 server and receive encrypted orders to carry out or new payloads to download and install.

In spite of this, the FBI was able to get the encryption keys that were used to interact with these servers when they compromised the infrastructure of the Qakbot and the devices used by its administrators.

Using these keys, the FBI contacted each Tier-1 server and instructed it to replace the “supernode” module previously installed by Qakbot with one that was developed by law enforcement. This was done using an infected device that was under their control and which they had infected.

The new FBI-controlled supernode module employed new encryption keys that the Qakbot operators did not have access to. As a result, the Qakbot operators were essentially locked out of their own command and control infrastructure since they were unable to interact in any manner with the Tier-1 servers.

After this, the FBI developed a bespoke Windows DLL (f that served as a removal tool and was sent to affected devices through the compromised Tier-1 servers.

This custom DLL file, according to an analysis of the FBI module conducted by SecureWorks, delivered the QPCMD_BOT_SHUTDOWN command to the Qakbot malware that was executing on compromised devices. This causes the malware process to cease functioning.

According to the Federal Bureau of Investigation (FBI), a court gave permission for this Qakbot removal program to be developed with the express purpose of only uninstalling the virus from machines that were already infected. In addition, since the virus can only function when it is loaded into memory, the anti-malware application did not read or write anything to the hard drive throughout its operation.

The FBI is currently unaware of the overall number of devices that have been cleaned in this fashion; however, given that the process began over the weekend, they anticipate that more devices will be cleansed when they reconnect to the hijacked Qakbot infrastructure.