The Qakbot worm, which targets consumers’ financial website credentials, appears to be growing more sophisticated and virulent. The long-running worm appeared in 2009, but in the past month there’s been a spike in the overall number of infections seen at any given time, with daily levels reaching 20,000 or more infected machines.
As that suggests, whoever is behind the worm has been continuing to make it more effective. “In-field telemetry shows that the malware authors have gotten more and more aggressive and successful in their ability to infect the common client,” according to an analysis of the worm released last week by Symantec.
Qakbot targets online bank account holders and can record keystrokes; digital certificates; and website, email, and FTP passwords. The worm puts the FTP credentials to work immediately, looking for new websites into which to inject code, to then infect the PCs of whoever visits the site. But the worm can also spread via network shares and removable drives.
Otherwise, the worm waits for the PC user to log on to a targeted website–including sites operated by Bank of America, Citibank, JPMorgan Chase, SunTrust, Wachovia, and Wells Fargo. At that point, the worm “immediately sends the attackers session authentication tokens allowing the attackers to piggyback on the active session,” according to the report from Symantec.
Interestingly, the worm can hide log-out links or reroute users when they attempt to log out, thus helping keep sessions active longer. “This extends the online banking session increasing the chances for the attackers to ride the existing session and illegally transfer funds,” said Symantec. While two-factor authentication or other strong authentication at login won’t stop the worm–it waits while a user enters these credentials–banks that use strong authentication at transaction time will block Qakbot, since attackers won’t be able to transfer or wire money from the targeted account to an outside account.