Fast-spreading attack spreads like a worm, stings like a Trojan, RSA researchers say

Tim Wilson, Editor in Chief, Dark Reading, Contributor

October 26, 2010

4 Min Read

It isn't particularly new, and it's not as funny as it sounds. But the Qakbot Trojan recently has been causing plenty of ripples in the IT security pond, researchers say.

In a blog posted yesterday, researchers at RSA Security offered a closer look at Qakbot and how its unusual behavior is causing a flock of troubles on the Web.

Qakbot is different in that it almost exclusively targets U.S. financial institutions, the researchers say. It also is the first Trojan seen to be exclusively targeting business/corporate accounts at these financial institutions.

"The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts," RSA says. "While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict 'preference' by design, and with no exceptions."

How does Qakbot infect its prey? Researchers are not sure. RSA says it has not found HTML or JavaScript code injections, or man-in-the-browser attacks that are typically used to circumvent two-factor authentication mechanisms. "Still, we suspect that Qakbot does have some sort of module for completing real time attacks, since it would otherwise not target business accounts to begin with," the blog says.

Qakbot is designed to spread like a worm -- infecting multiple machines at a time -- while also stealing data like an ordinary banker Trojan, RSA says. Qakbot targets shared networks, copying its executable file into shared directories, a technique that enables it to propagate on corporate networks, the blog observes.

In addition, Qakbot is the first Trojan to separate targeted credentials from other stolen information, the researchers say. The targeted credentials are sent to the Qakbot's drop server, while credentials stolen from entities that are not specifically targeted by Qakbot are uploaded to hijacked FTP accounts, located on legitimate FTP servers.

"The sheer volume and detail of information stolen by Qakbot is astounding," the blog says. "Every time an infected user accesses an entity’s website, the Trojan organizes data transmitted from the victim’s machine into three separate files ... These files are organized per user and are complete with comprehensive system and user-account information. All this information is likely aggregated by Qakbot's authors to research future possible exploits."

The Qakbot Trojan's most famous victim to date is the National Health Service (NHS), the U.K.'s publicly funded healthcare system, the RSA researchers say. Qakbot infected more than 1,100 computers at NHS, and "while there was no evidence that patient data was compromised, 4 GB of credentials from Facebook, Twitter, Hotmail, Gmail, and Yahoo were seen being funneled through NHS monitored servers."

Qakbot features extensive lab-evasion procedures designed to ensure the Trojan does not run in a security company's research lab, according to RSA. "Unlike some other Trojans, which simply check whether they are being run on a virtual machine to determine whether to continue their self-installation, Qakbot's authors have taken pains to set up a series of seven tests in an attempt to ensure that their Trojan will not be reverse-engineered and scrutinized by security researchers."

If Qakbot recognizes that it is being run in a lab setting, then it reports the relevant IP address to the Trojan's drop zone, RSA says. "This kind of notification is likely performed to blacklist the IP address, so that the Trojan never again attempts to infect the same research lab," the blog says.

Qakbot also features a unique, self-developed compression format to compress credentials stolen by the Trojan -- the first such programming feat of its kind, RSA says. "The Qakbot authors' proprietary archive format forces professional security researchers to dedicate a considerable amount of time and effort to write an appropriate decompressor," the blog says.

Unlike some other Trojans, Qakbot's distribution is "quite limited, so it is likely privately owned and operated by a single cybercriminal or gang, as opposed to being commercially available in the underground," the RSA researchers say. "However, despite the Trojan's low prevalence in the wild, its unique functionalities all make Qakbot a highly targeted virtual burglar."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights