Symantec researchers have uncovered huge data theft associated with the Qakbot botnet with up to 2Gb of stolen confidential information being uploaded to FTP servers every week.
W32.Qakbot is a worm that spreads through network shares. It downloads additional files, steals confidential information and opens a back door on the compromised computer. The worm contains rootkit functionality, which allows it to hide its presence.
“While analysing the Qakbot threat, we gained access to and closely monitored two of these FTP servers. Although Qakbot is a smaller botnet, over the course of two weeks we observed roughly four gigabytes of stolen information that was uploaded to these FTP servers,” the researchers say.
The stolen data includes:
* Online banking information;
* Credit card information;
* Social network credentials: Facebook, Twitter, Orkut, Bebo, Adult FriendFinder, and more;
* Internet mail credentials: Hotmail, Gmail, Yahoo!, and more; and
* Internet search histories.
“In a nutshell, every bit of information users of infected PCs type into their browsers is stolen. In addition, the Qakbot authors have not put much effort into securing the stolen information.
“This means that anyone with a sample of the threat can access the stolen data quite easily,” the researchers say.
Worryingly, Symantec’s investigations have shown that Qakbot, which has coverage on a global scale, is almost equally effective at stealing information from corporate environments as from home users.
“Corporates should be particularly wary of this threat because it also functions as a downloader, leaving compromised corporate environments open to a more serious attack if appropriate action is not taken right away.
“This is particularly troubling given the growing trend of targeted attacks against enterprises identified in the recently released Symantec Internet Security Threat Report ."