Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Qakbot Malware Infections Spike

Worm that targets financial information infected 1,500 Massachusetts state PCs, potentially exposing 250,000 residents' personal details.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
The Qakbot worm, which targets consumers' financial website credentials, appears to be growing more sophisticated and virulent. The long-running worm appeared in 2009, but in the past month there's been a spike in the overall number of infections seen at any given time, with daily levels reaching 20,000 or more infected machines.

As that suggests, whoever is behind the worm has been continuing to make it more effective. "In-field telemetry shows that the malware authors have gotten more and more aggressive and successful in their ability to infect the common client," according to an analysis of the worm released last week by Symantec.

Qakbot targets online bank account holders and can record keystrokes; digital certificates; and website, email, and FTP passwords. The worm puts the FTP credentials to work immediately, looking for new websites into which to inject code, to then infect the PCs of whoever visits the site. But the worm can also spread via network shares and removable drives.

Otherwise, the worm waits for the PC user to log on to a targeted website--including sites operated by Bank of America, Citibank, JPMorgan Chase, SunTrust, Wachovia, and Wells Fargo. At that point, the worm "immediately sends the attackers session authentication tokens allowing the attackers to piggyback on the active session," according to the report from Symantec.

Interestingly, the worm can hide log-out links or reroute users when they attempt to log out, thus helping keep sessions active longer. "This extends the online banking session increasing the chances for the attackers to ride the existing session and illegally transfer funds," said Symantec. While two-factor authentication or other strong authentication at login won't stop the worm--it waits while a user enters these credentials--banks that use strong authentication at transaction time will block Qakbot, since attackers won't be able to transfer or wire money from the targeted account to an outside account.

Malware such as Qakbot poses a risk to individual consumers, but it can also do much more extensive damage if it infects a PC that stores a large amount of other people's personal information. For example, one recent outbreak of Qakbot was seen at a Massachusetts state government agency. According to a notice posted on the state's Labor and Workforce Development website, "a computer virus infected the network running work stations used by the staff of the Department of Unemployment Assistance (DUA), Department of Career Services (DCS) and some One-Stop Career Centers from April 19 to May 13, 2011. Immediate steps were taken to eliminate the virus on our network and individual PCs, and remediate data breach caused by the virus."

State officials identified the virus as Qakbot and said that because of the malware, the personal information of up to 250,000 state residents had been potentially exposed. That data included names, addresses, and Social Security numbers. According to a Kaspersky Lab blog post, "Qakbot-infected systems were observed uploading more than 200 megabytes of data each day to command and control server during a period that covered the Qakbot infection on the Department of Labor network."

Network administrators spotted Qakbot relatively early in its infection period, attempted to eradicate the malware, thought they had done so--but apparently hadn't been successful. Ultimately, it spread to 1,500 state PCs.

Join InformationWeek Government for a virtual event on cybersecurity best practices and government IT. It happens May 25. Download it here. (Free with registration.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).