Attack of the Qbot: 6 years, 800,000 online banking transactions sniffed

 

What’s been around for 6 whole years, has infected roughly 500,000 Windows-based PCs, and has intercepted information from over 800,000 online banking transactions, including account credentials? Zeus? Guess again. iBanking? Nope. Dyre? No, it’s not that one either – although it does have an equally unusual name. This time around, the culprit is called Qbot, and according to researchers it’s a highly successful botnet operation specifically targeting people who use older versions of Windows in the United States and Europe.

What is Qbot?

Qbot is a family of malware that spreads through compromised WordPress sites. Once these sites are compromised, they are reprogrammed to exploit visiting computers that contain application vulnerabilities. Once these vulnerabilities are exploited, the computer is instructed to download Qbot, a malicious program that connects the machine to a botnet and that can steal banking credentials.

Who’s at risk?

According to recent reports, Qbot has an eye for the outdated.  Since 2008, 52% of observed infections occurred on Windows XP; 39% of observed infections occurred Windows 7; and, 7% of observed infections occurred on Windows Vista. In all that time, 59% of Qbot banking interceptions occurred when a user accessed a website of one of the 5 largest banks in the United States.

Every Q needs a U – Don’t become one

Qbot is currently alive and well, with 75% of its 500,000 infected bots residing in the United States.

With headlines reading that the security of nearly 83 million JPMorgan Chase accounts has been compromised by Russian hackers and that 56 million people who shopped at Home Depot between April and September 2014 will need to get a new credit card, 500,000 might not seem like a lot. But a stolen banking password is still a stolen banking password, and in addition to credential theft Qbot also allows attackers to rent out your computer to cybercriminals looking for a zombie horde to commit malicious deeds (think spam or taking down a competitor’s website by overloading it with traffic).

What can you do to stay protected?

Well, a quick look at the stats should make the steps to prevention pretty clear. Don’t run an outdated OS filled with applications that haven’t been updated in years… and if you do, don’t use it to bank online. If you’re unfamiliar with why doing so is generally unsafe, we’d recommend this article on application vulnerabilities. After that, you can also check out the Emsisoft Security Knowledgebase to learn How to perform online-banking securely.

Want an automated solution instead? Then check out the brand new Emsisoft Internet Security. It can block Qbot variants in 3 different ways and also includes online banking protection designed to harden browser software against vulnerabilities the malware attempts to exploit.

Have a great (Qbot-free) day!

For more on Qbot, see this recent featured article from SC Magazine.

  • Jim C

    Emsisoft Internet Security has banking mode? How does one activate it?

    • Steve

      Hi Jim,
      The banking protection included in Emsisoft Internet Security is actually always on and running, no user activation required. Calling it a “mode” was a bit incorrect on my part, so thanks for your help in clarifying this :)