W32.Qakbot in detail

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

W32.Qakbot in detail
Botnet Akbot
Malware Akbot_(bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2001 /
Editor/Conference Symantec
Link http://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/w32 qakbot in detail.pdf symantec.com (pdf) (symantec.com (pdf) Archive copy)
Author Nicolas Falliere


W32.Qakbot is a worm that has been seen spreading through network

shares, removable drives, and infected webpages, and infecting computers since mid-2009. Its primary purpose is to steal online banking account information from compromised computers. The malware controllers may use the stolen information to access client accounts within various financial service websites with the intent of moving currency to accounts from which they can withdraw funds. It employs a classic keylogger, but is unique in that it also steals active session authentication tokens and could piggy back on the existing online banking sessions. This information could be used for malicious purposes. In-field telemetry shows that the malware authors have gotten more and more aggressive and successful in their ability to infect the common client. Even though we don’t have evidence to show the increase in monetary gain made by malware controllers, we do believe the in-field propagation is directly proportional to the loss incurred by banks and end clients. There are several information stealing Trojans found in cyberspace today. What makes Qakbot stand apart from most of the others is sophistication and continuous evolution. The purpose of this white paper is to provide an insight into the worm’s capabilities.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2001BFR915,
   editor = {Symantec},
   author = {Nicolas Falliere},
   title = {W32.Qakbot in detail},
   date = {05},
   month = Dec,
   year = {2001},
   howpublished = {\url{http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf symantec.com (pdf)}},