Circulating since 2009, the W32.Qakbot malware infects users by exploiting flaws when malicious web pages are visited and spreads through network shared and removable drives. It downloads files, steals information, and opens a back door on the compromised computer, Symatec explained in a recent blog.
There was a major wave of Qakbot attacks in April, spiking to well over 200,000 per day on two occasions. Symantec said that the Qakbot attacks peaked after the author “seeded” newer variants to circumvent detection techniques used by security software.
Not coincidently, Massachusetts Executive Office of Labor and Workforce Development was attacked by the Qakbot worm during that period, with the possible compromise of personal information on 210,000 people. While the attack happened in mid-April, the office did not disclose the breach until mid-May.
According to Symantec's analysis, the Qakbot worm has the following characteristics: it spread using network drives, infected web pages, and removable drives; it steals keystrokes, certificates, POP3 passwords, as well as FTP credentials; it uses FTP credentials to locate web pages and infect them by injecting code; it steals online banking session tokens; it sets up a local SOCKS server which is used by the malware controller to connect through the compromised computer and reuse the hijacked banking session token; it has the ability to remove 'logoff' links from client visibility for some banking sites, and subsequently extend active sessions; it has a usermode rootkit which allows it to hide its files, processes and network connections; and the data being targeted are primarily from clients using services of US-based banks and other financial institutions.
Commenting on the Massachusetts data breach by the Qakbot worm, Ray Bryant, chief executive officer at Idappcom, said: "What's interesting – and quite sad from a security perspective – is that the state agency clearly had the technology to detect the presence of the worm on its systems.”
Bryant noted that Qakbot was at its height in terms of attacks last summer, when it stole 2 GB of confidential data a week. Despite these previous attacks, the state IT security people were unable to spot the worm, he said.
The Idappcom chief executive explained that this illustrates the need for multiple layers of protection in an era when cybercriminals are getting more clever at evolving existing malware, as well as developing new threats.