An analysis of the Qakbot worm finds the malware is more prevalent than ever and outfitted with an arsenal of data theft tools. That’s bad news for unemployed workers in Massachusetts, where the Department of Labor network is still recovering from a rampant Qakbot infection.
Less than a week after the Massachusetts Department of Labor and Workforce Development disclosed a widespread Qakbot infection on its network, Symantec issued a detailed analysis of the worm, which infects systems running Microsoft Windows. After two years in the wild, Qakbot is resurgent once again, with the number of infected systems more than quadrupling in May to more than 20,000. More worrisome for state officials in Massachusetts and State residents: Qakbot infected systems were observed uploading more than 200 megabytes of data each day to command and control server during a period that covered the Qakbot infection on the Department of Labor network.
The Symantec analysis (PDF) covers Qakbot infections globally, not just those specific to the Massachusetts Department of Labor, but it suggests that the infection on the State’s network almost certainly purloined sensitive data.
State officials acknowledged on Sunday that an infection had taken place, lasting between April 19 and May 12, 2011, and that as many as 250,000 residents whose data was stored on the Department of Labor’s network could be victims, with confidential claimant or employer information stolen, including names, Social Security Numbers, email addresses and residential or business addresses.
Residents who filed new unemployment insurance claims, as well as employers who filed paperwork were among those affected by the breach, Massachusetts said, warning possible victims to be on the lookout for identity theft.
In a blog post, Symantec said that its researchers have seen a large spike in Qakbot infections in the second quarter of 2011, after the worm’s author seeded a new and highly infectious variant of the worm on the Internet. “Its hard to believe if he or she could have foreseen its ability to spread,” the company noted on its Connect blog.
Among the methods the worm uses to propagate are Web-based drive by downloads from Web pages, between network drives and over removable drives. Symantec also observed Qakbot files being digitally signed using a valid digital key. The main purpose of the worm is stealing online banking login information. Symantec said that Web page cookies that might contain sensitive data are a common target, as well as digital certificates, keystrokes, credentials for FTP (file transfer protocol) and POP3 (e-mail) servers, as well as user names and passwords used to access Web pages. The worm goes so far as to hide the log off button for popular online banking sessions to extend the length of those sessions, Symantec said.
