The Russian gang behind the obscure Qbot botnet have quietly built an impressive empire of 500,000 infected PCs by exploiting unpatched flaws in mainly US-based Windows XP and Windows 7 computers, researchers at security firm Proofpoint have discovered.
A year or two ago, what the Qbot (aka Qakbot) campaign has achieved in the roughly half dozen years the actors behind it have been operating would have been seen as a major concern. Recently, standards have gone up a notch.
These days Russian hackers are grabbing headlines for altogether more serious incursions such as the recently revealed attack on US bank JPMorgan Chase, and botnets sound like yesterday’s problem.
However, Proofpoint’s research does point to an intriguingly sophisticated business model. The group behind the botnet have built it in a methodical way over time, fuelling the campaign at levels low enough to avoid attracting the attention of security firms.
The MO is to target, compromise and harvest legitimate Wordpress sites using bought-in credentials, even exploiting newsletters from these sites to spread drive-by malware links. From this, users with vulnerable browsers or software (Java, Reader, Flash) of the sort that can be hit by exploit kits to infect machines using droppers in chosen geographical locations.
What the attackers are after is online banking logins, which form half the business, and PCs that can be sold on to other criminals as compromised machines inside interesting organisations. These can also then be used a proxies for third-party attacks.
They seem keen to protect this nice little business, going to some lengths to regenerate different pieces of the attack chain every time anti-virus engines have started to detect it.
Perhaps the real story is the incredible ease with which Qbot has found victims, 75 percent of which are based in the US. Significantly, 52 percent of these are running Windows XP, 39 percent Windows 7 with 7 percent Windows Vista.
The UK’s Qbot population of infected PCs is smaller but a still not insignificant 15,000, the firm’s figures show.
“With 500,000 infected clients stealing online banking account credentials for as many as 800,000 online banking accounts, this cybercrime group has the potential for tremendous profits,” said the researchers in their teardown.
Proofpoint advises on remediation in general terms but frankly this seems a bit of a desperate plea. Anyone who uses XP and still can’t patch the old software on their system is probably beyond reach. More useful is the detailed advice to Wordpress site owners to detect and clean their assets of infection.