Qakbot Malware Infections Spike

  /     /     /  
Publicated : 22/11/2024   Category : security


Qakbot Malware Infections Spike


Worm that targets financial information infected 1,500 Massachusetts state PCs, potentially exposing 250,000 residents personal details.



(click image for larger view)
Slideshow: 10 Massive Security Breaches
The Qakbot worm, which targets consumers financial website credentials, appears to be growing more sophisticated and virulent. The long-running worm appeared in 2009, but in the past month theres been a spike in the overall number of infections seen at any given time, with daily levels reaching 20,000 or more infected machines.
As that suggests, whoever is behind the worm has been continuing to make it more effective. In-field telemetry shows that the malware authors have gotten more and more aggressive and successful in their ability to infect the common client, according to an
analysis
of the worm released last week by Symantec.
Qakbot targets
online bank account holders
and can record keystrokes; digital certificates; and website, email, and FTP passwords. The worm puts the FTP credentials to work immediately, looking for new websites into which to inject code, to then infect the PCs of whoever visits the site. But the worm can also spread via network shares and removable drives.
Otherwise, the worm waits for the PC user to log on to a targeted website--including sites operated by Bank of America, Citibank, JPMorgan Chase, SunTrust, Wachovia, and Wells Fargo. At that point, the worm immediately sends the attackers session authentication tokens allowing the attackers to piggyback on the active session, according to the report from Symantec.
Interestingly, the worm can hide log-out links or reroute users when they attempt to log out, thus helping keep sessions active longer. This extends the online banking session increasing the chances for the attackers to ride the existing session and illegally transfer funds, said Symantec. While
two-factor authentication
or other strong authentication at login wont stop the worm--it waits while a user enters these credentials--banks that use strong authentication at transaction time will block Qakbot, since attackers wont be able to transfer or wire money from the targeted account to an outside account.
Malware such as Qakbot poses a risk to individual consumers, but it can also do much more extensive damage if it infects a PC that stores a large amount of other peoples personal information. For example, one recent outbreak of Qakbot was seen at a Massachusetts state government agency. According to a
notice
posted on the states Labor and Workforce Development website, a computer virus infected the network running work stations used by the staff of the Department of Unemployment Assistance (DUA), Department of Career Services (DCS) and some One-Stop Career Centers from April 19 to May 13, 2011. Immediate steps were taken to eliminate the virus on our network and individual PCs, and remediate data breach caused by the virus.
State officials identified the virus as Qakbot and said that because of the malware, the personal information of up to 250,000 state residents had been potentially exposed. That data included names, addresses, and Social Security numbers. According to a Kaspersky Lab
blog post
, Qakbot-infected systems were observed uploading more than 200 megabytes of data each day to command and control server during a period that covered the Qakbot infection on the Department of Labor network.
Network administrators spotted Qakbot relatively early in its infection period, attempted to eradicate the malware, thought they had done so--but apparently hadnt been successful. Ultimately, it spread to 1,500 state PCs.
Join InformationWeek Government for a virtual event on cybersecurity best practices and government IT. It happens May 25.
Download it here
. (Free with registration.)

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Qakbot Malware Infections Spike