Friday, May 20, 2011

Symantec - W32.Qakbot in Detail


W32.Qakbot is a worm that has been seen spreading through network shares, removable drives, and infected webpages, and infecting com- puters since mid-2009. Its primary purpose is to steal online bank- ing account information from compromised computers. The malware controllers use the stolen information to access client accounts within various financial service websites with the intent of moving currency to accounts from which they can withdraw funds. It employs a classic key- logger, but is unique in that it also steals active session authentication tokens and then piggy backs on the existing online banking sessions. It then quickly uses that information for malicious purposes.

In-field telemetry shows that the malware authors have gotten more and more aggressive and successful in their ability to infect the com- mon client. Even though we don’t have evidence to show the increase in monetary gain made by malware controllers, we do believe the in-field propagation is directly proportional to the loss incurred by banks and end clients.

There are several information stealing Trojans found in cyberspace to- day. What makes Qakbot stand apart from most of the others is sophis- tication and continuous evolution. The purpose of this white paper is to provide an insight into the worm’s capabilities.


Qakbot has been gaining some press recently, especially with this recent outbreak in April at Massachusetts Department of Unemployment Assistance and Department of Career Services.

For more information on Qakbot, check out this RSA paper from Oct 2010.
Businesses Beware: Qakbot is No Laughing Matter [PDF]

No comments:

Post a Comment