By Dr. Samir Kelekar, Senior Consultant, Indusface

Massive Qbot Botnet strikes

A new botnet has been detected. A US-based security research firm Proofpoint has come up with a detailed analysis of a botnet that has infected around 500 thousand computers and credentials for around 800 thousand bank transactions have been sniffed. 75% of the infections have happened in the US.

A full analysis reveals the modus operandi of the attackers. Using vulnerable WordPress sites or by using stolen admin credentials for WordPress sites bought from the underground hacking market, these sites were first infected. Later, computers of visitors to these sites were infected by downloading malware by using either browser, flash, or pdf vulnerabilities. In some cases, legitimate newsletters sent by the WordPress websites have been used by sending emails to users and having infections inside these newsletters.

Care has been taken so that anti-virus software on the victim computers doesn’t detect this malware. A traffic distribution system (TDS) has been used to identify only those visitor computers which might be vulnerable by using various attributes of the HTTP client data such as browser version, operating system, etc when the browser access the WordPress site.  This helps hackers avoid browsers/computers of security researchers or bots.  Once the visitor computers were infected by installing a basic malware dropper, more and varying kind malware is deployed on them. Then, these computers are used to steal banking credentials via a sniffer when they access a banking site. Other monetization techniques such as using these computers for an encrypted tunnel and offering such tunnels to others in the underground hacking market for use for other hacking activities are also done.

The scale of the operation is huge. Many US banks’ users’ credential has been sniffed/stolen. There are 2 million unique IPs that have been found to be used by this botnet, the total computers affected being 500 thousand. About 52% of computers infected were running Windows XP, and a large number of infections have been via Internet Explorer.

The botnet and the details of the operation should raise alarms and should make us realize the importance of securing our websites/computers. While India doesn’t seem to be a target of this botnet,  the above kind of botnet can be replicated in India.

To begin with, not many who host WordPress websites ensure that all vulnerabilities are patched, and updates are done regularly. WordPress hosted sites thus become one of the soft targets for website attacks/infection by hackers. A WAF can help here; a scanner that targets WordPress based sites can also help.

As to ensuring that your computer does not get infected, there is an urgent need to move away from Windows XP ( if not done already), support for which is discontinued by Microsoft.  There is a need to constantly update software such as pdf readers, Flash. Browsers have to be also updated.

For banks, two-factor authentication is a must. This way at least even if banking credentials are stolen, damage cannot be done. For other e-commerce sites too, two-factor authentication is the only solution.