QAZ Trojan - Technical Analysis
RAT.QAZ / W32.QAZ / HLLW.QAZ
 
Copyright (C) October 2000, Diamond Computer Systems Pty. Ltd.
http://www.diamondcs.com.au
 


Name: RAT.QAZ

Alias(es): W32.QAZ.Worm, HLLW.QAZ, QAZ Trojan

Size: 120,320 bytes (118kb), compiled in Microsoft Visual C++, uncompressed executable.

Primary Class: Remote Access Trojan. Employs limited worm-like propagation through local shares to increase over-all survival chances and network penetration depth.

Purpose: Network penetration and information gathering

File-Infector (virus): No

Port: TCP 7597 (fixed)

Origin: China

Incorrect Reports: There have been a small handful of reports written about QAZ that indicate the worm component spreads through IRC and/or newsgroups - this is not the case, and QAZ has no IRC or usenet/news capabilities of any kind. Other reports indicate email being sent to a Russian address - QAZ version located by DiamondCS pointed to a Chinese address. 

Infection: Initial execution of the QAZ trojan starts an internal install routine where the trojan - using time delays - will slowly start copying itself to various locations on the local computer and on network shares. If executed with "qazwsx.hsq" as a parameter, it will begin it's information-gathering routines (after a timed delay of approximately 30 seconds).

Protocol: Custom plaintext protocol, unencrypted. 4 commands remotely-accessible.

Upon connection, QAZ identifies itself with a single-character prompt, ":". This is the trojan servers way of asking for a password. Responding with anything other than the correct password will result in a disconnection. The password is "qazwsx.hsq" - the first six letters incidently are the left-most six keys on QWERTY keyboards. After receiving the correct password, the trojan server responds with a new single-character command prompt of ">". At this point, the client has full control over the trojan server and can start "talking" to the QAZ trojan server. 

The QAZ server knows of four commands - upload, run, exit, and quit. Sending "exit" will cause the trojan server to reset it's socket, safely disconnecting the client and resetting it's socket to Listen state, ready for another connection. Sending "quit" will cause the trojan server to unload/terminate (until the system is rebooted). The "upload" and "run" commands are all that is required to allow a hacker to upload a feature-rich trojan and execute it, and this is primarily what makes QAZ so dangerous.

As re-infection occurs immediately on reboot, the Quit command on it's own cannot be used for remote disinfection. However, remote disinfection could be possible if the Upload, Run, and Quit commands are used in conjunction with one another. Remote disinfection may prove a faster and more economic way of disinfecting machines from a company rather than using anti-virus software on every single terminal. However, future variants of QAZ may not be so easily detected/removed, so remote disinfection may only be possible for the current QAZ variant.

Propagation: Using time-delayed infection routines, the QAZ trojan will actively scan all 255 machines in the local domain with ARP request packets. Using local shares, it copies itself to various locations within local area networks, allowing deep (and concentrated) network penetration. 

Notification: Upon infection (but using a timed delay), the QAZ trojan attempts to email data to a specified email account (nongmin_cn) at an ISP traced back to China. Both the ISP and email addresses can be changed, allowing the QAZ trojan to be used by hackers other than the original author.

Data Theft: The QAZ trojan allows for one-way file uploads, meaning a hacker using the QAZ Client to connect to the QAZ trojan server would be able to upload and execute files of their choosing. On it's own (without client intervention), the worm also periodically reads through Internet Explorers INDEX.DAT file to steal URLs and other information, and gathers information on the Local Area Network and it's servers and workstations using NetBIOS. It does not actively delete or corrupt files without client intervention, and does not actively seek to cause damage to infected systems.

Acknowledgements: DiamondCS wishes to thank Dr. Peter Meier of the US National Association of Investigative Specialists for his assistance in verifying the geographical location of the QAZ IP.