500,000-strong botnet swarm harvests bank account credentials en-masse

Qbot: 500,000 reasons to patch/update your system

Qbot: 500,000 reasons to patch/update your system
Qbot: 500,000 reasons to patch/update your system
Russian cybercriminals have quietly built up a 500,000-strong PC botnet, according to a report just released.

The analysis by Proofpoint suggests that the Qbot botnet - which centres on WinXP and Win7-based infected machines - suggests that the cybercriminals have developed a sophisticated business model, tapping into legitimate WordPress-based Web sites and using `superadmin' facilities to launch drive-by download attacks on site visitors.

The main focus of the botnet appears to be on US-based systems, with the ultimate aim of harvesting online bank account credentials - with as many as 800,000 online banking transaction sessions being sniffed.

Proofpoint claims that 59 percent of the `sniffed' sessions involved accounts at five of the largest US banks.

Delving into the report reveals that 52 percent of the infected botnet PCs are Windows XP-based, suggesting that the withdrawal of updates and security support for the aged operating system in April of this year may have been a contributory factor in `signing up' infected machines into the botnet swarm.

The analysis notes that the cybercrime group used compromised PCs to offer a sophisticated (and paid) proxying service for other organised crime groups. The service turns infected PCs into infiltration points for attackers and carriers for an illicit 'private cloud.'

The report also includes details on operating systems most compromised by the attackers, as well as specific guidance to WordPress site owners on how to detect infections and harden their sites against similar attacks.

It started with the dark Web  

One of the most interesting aspects of the botnet is that the Russian cybercriminals behind the scheme initially acquired Web site credentials from the so-called dark Web, giving them instant access to an initial batch of sites, from which they were able to build the foundation of the botnet swarm.

Because the hackers were using superadmin accounts, the owners/users of the WordPress sites continued posting to their pages as normal, even though the cybercriminals were infecting the pages on the fly.

This allowed the hackers to stage drive-by downloads, infect site visitor PCs, and so harvest their banking credentials.

As well as pointing an accusing finger at Web site operators using weak and/or default passwords, the report criticises banks for their simplistic approach to security, noting that banks should offer - and encourage their customers to use - two-factor authentication options for their online banking activities.

"While this will not protect the end-users' systems from infection by compromised sites, it will make it more difficult for cybercrime groups to make use of the credentials that they successfully sniff from users' online banking sessions," notes the report.

Keith Bird, UK managing director for Check Point, said that the fact that the gang of hackers built up a botnet of a half million infected devices isn't not too surprising.

"Check Point's 2014 Security Report found bot infections in 73 percent of over 10,000 organisations worldwide, an increase from the 63 percent seen in 2012," he said, adding that 77 percent of bots were seen to be active for more than four weeks.

This, he explained, gives them plenty of time to harvest data.

"Any organisation that connects to the Internet exposes itself to the threat of cybercrime and needs multiple layers of protecton, regular security updates, as well as security-aware employees, to defend against cyber-attacks," he explained.

Semi-automated methodology

Kevin O'Reilly, a senior consultant with Context Information Security, said that he finds it interesting that the Russian attackers have developed a semi-automated method of keeping ahead of the anti-virus (AV) vendors.

"By scripting a submission to scan4you.net, the bad guys can be alerted to the fact that AV products have been updated to detect their malware, and thus kick off a process to re-obfuscate it anew to avoid detection," he said.

"This inevitably places them and the AV vendors in a seemingly endless loop of each updating their respective products - but the rub is that it's the AV vendors on the losing side here. Since they are reactive, most of the time the bad-guys are able to operate with malware they don't detect," he added.

O'Reilly went on to say that, to him, this highlights what we - as a security industry - already really knew, namely that, in this day and age AV products are fatally flawed in their very concept.

"But here we have real evidence in the form of a system set up to ruthlessly exploit their weakness whilst exploiting their poor client base at large. That said, we wouldn't suggest anyone doesn't run AV but does understand the limitation," he explained.