• United States



by Robert Lemos

Qakbot takes off, profiting bot masters

May 20, 20112 mins
Application SecurityBotnetsCybercrime

The bot software's worm-like propagation makes it a corporate threat, says a security report.

The latest version of Qakbot has spread amongst corporate computers, leading security firm Symantec to issue a warning Friday that companies need to beware of the bot’s worm-like propagation.

Between early April and early May, Symantec researchers saw the number of Qakbot-infected computers jump to more than 200,000, much higher than average, according to a report released by the company this afternoon. Activity from the bot program surges every three to six months, but rarely exceeds 50,000 compromised systems, says Vikram Thakur, principal security response manager for Symantec’s threat intel group.

Also see: The botnet hunters

“This is definitely something to watch out for, considering it has been under development and it has been continuously evolving over the past few years,” Thakur says. “This threat is a major problem for corporations because of just the way it actually spreads within an environment.”

Recently, Qakbot appeared online signed with a valid digital key, a technique used most famously by the Stuxnet worm, to appear to be legitimate software. The bot is seeded within a company using compromised Web sites to push code to potential victims. Once inside a corporation, the bot program turns worm-like and spreads to open file shares and internal Web sites, which typically have far less security than external facing services, says Thakur.

“These things are not locked down as much as we imagine inside corporations,” he says.

Also see: What a botnet looks like

Once on a computer, Qakbot steal banking credentials and other files. The program allows the cybercriminal group controlling the botnet to inject transactions into online banking sessions, stealing money from the victim’s account.

Because of its success within corporation, the bot program could also be used to steal corporate data. For cybercriminals, however, bank account credentials continue to be a ready source of cash, so it’s likely that they will continue to focus their efforts there.

“The ultimate aim, like almost every other threat we see, is to make money,” Thakur says. “And these guys are using the most lucrative data they can get to make money.”