As that suggests, whoever is behind the worm has been continuing to make it more effective. "In-field telemetry shows that the malware authors have gotten more and more aggressive and successful in their ability to infect the common client," according to an analysis of the worm released last week by Symantec.
Qakbot targets online bank account holders and can record keystrokes; digital certificates; and website, email, and FTP passwords. The worm puts the FTP credentials to work immediately, looking for new websites into which to inject code, to then infect the PCs of whoever visits the site. But the worm can also spread via network shares and removable drives.
Otherwise, the worm waits for the PC user to log on to a targeted website--including sites operated by Bank of America, Citibank, JPMorgan Chase, SunTrust, Wachovia, and Wells Fargo. At that point, the worm "immediately sends the attackers session authentication tokens allowing the attackers to piggyback on the active session," according to the report from Symantec.
Interestingly, the worm can hide log-out links or reroute users when they attempt to log out, thus helping keep sessions active longer. "This extends the online banking session increasing the chances for the attackers to ride the existing session and illegally transfer funds," said Symantec. While two-factor authentication or other strong authentication at login won't stop the worm--it waits while a user enters these credentials--banks that use strong authentication at transaction time will block Qakbot, since attackers won't be able to transfer or wire money from the targeted account to an outside account.
Malware such as Qakbot poses a risk to individual consumers, but it can also do much more extensive damage if it infects a PC that stores a large amount of other people's personal information. For example, one recent outbreak of Qakbot was seen at a Massachusetts state government agency. According to a notice posted on the state's Labor and Workforce Development website, "a computer virus infected the network running work stations used by the staff of the Department of Unemployment Assistance (DUA), Department of Career Services (DCS) and some One-Stop Career Centers from April 19 to May 13, 2011. Immediate steps were taken to eliminate the virus on our network and individual PCs, and remediate data breach caused by the virus."
State officials identified the virus as Qakbot and said that because of the malware, the personal information of up to 250,000 state residents had been potentially exposed. That data included names, addresses, and Social Security numbers. According to a Kaspersky Lab blog post, "Qakbot-infected systems were observed uploading more than 200 megabytes of data each day to command and control server during a period that covered the Qakbot infection on the Department of Labor network."
Network administrators spotted Qakbot relatively early in its infection period, attempted to eradicate the malware, thought they had done so--but apparently hadn't been successful. Ultimately, it spread to 1,500 state PCs.
Join InformationWeek Government for a virtual event on cybersecurity best practices and government IT. It happens May 25. Download it here. (Free with registration.)