"Fresh wave of mutating Qakbot malware brings down enterprise networks The malware is able to lock out companies from accessing their networks as well as infecting neighboring systems..." http://www.zdnet.com/article/fresh-wave-of-qakbot-malware-brings-down-enterprise-networks/
Isn't there anything these places can do to prevent all these different intrusions to interrupt? The shear number of such events seem to be spiking! at ever climbing record rate.
I was going to ask something similar. Here goes. Are these companies just stupid, lazy & cheap? Or is malware so very hard & expensive to stop?
Option 1: paper, pencils, erasers, ledger books, hard, yellow-lined spread sheets, 500 bookeepers, 250 accountants, 200 secretaries, 50 security gards, 25 security dogs, 300 copy machines, 200 printers, 50 coffee makers, 5,000 file cabinets, etc, etc. Option 2: Background Checks to purchase, own, or operate a computer, including Mandatory, International Standard Psychopath Screenings. Technology has consequences.
According to Microsoft: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Qakbot.T So, exploit protection would be the first step. A good signature detection AV product with botnet protection will help. Monitor executable startups from %AppData% will help. Etc., etc..
A little self-promotion, BUT: "Perspectives: Organizations with some of the best-in-class prevention system are demonstrating that they cannot reliably stop Qakbot. New malware strain is going undetected by signature-based systems While moving laterally the malware changes itself making it hard to detect and stop [server-side polymorphism which allows the malware to mutate rapidly, circumventing signature-based antivirus systems while on the move.] The web exploits utilized legitimate looking java scripts and are bypassing security prevention systems." https://attivonetworks.com/qakbotmalware/ "...'While it's unclear why so many systems have suddenly fallen victim to Qakbot, it's possible that updated exploit kits play a role,' Cylance says. 'After all, there is no shortage of new vulnerabilities and exploits for attackers to use to their advantage.'.." http://www.zdnet.com/article/fresh-wave-of-qakbot-malware-brings-down-enterprise-networks/ There are simply too many vulnerabilities to be found by brilliant, mis-guided geeks, backed by the resources of large, multinational criminal enterprises, to stop this stuff. Patch one hole and a new hole breaks open. The CEO of the company who develops a dynamic catch-all for ever-evolving and increasingly complex and sophisticted attacks, compounded by the problem of human fallibility at the endpoint, will amass a fortune large enough to rub shoulders with Bill Gates and Jeff Bezos.
Not really, variants of Qakbot can be detected using "generic" signatures. The AV product should have a browser javascript scanner. As far as self-promotion goes, note the source of the article - Cylance.
Yeah, I know and the other stuff is from a company that claims to have a platform that blocks, remediates Qakbot But itman, hawk's gut says that you appear to be making too light of this -- is it really that simple to stop, and if it is, why the ressurgence? As Easter and zapjb, and now hawki ask -- are all the the new Qakbot victims simply incompetent?? I am not "in the business" but I would, perhaps foolishly, assume some basic level of competence on endpoint networked systems.
Yeah - Ok. And...? LOL - [Don't overlook the fact you are replying to a dumb-looking bunny rabbitt who still is trying to figure out who framed his cousin Roger ]
More like patch one hole and a series of others suddenly surface. Makes you wonder if makers of this stuff just keep an inventory of unused vulnerabilities so that when something gets patched, they move that one to the back-burner for further study and unwrap the next. Quite the assembly line of a well coordinated system on their end. From the looks of things lately it seems to be getting easier for them then harder and the AV industry as usual appeared tied down into cat and mouse routine always trying to catch up.
Per Trend Micro: https://success.trendmicro.com/solution/1058159 , it recommends using SmartScreen(browser based of course) as a mitigation. Makes sense since SS's rep blacklist probably contains the IP addresses associated with bot providers it is using. Alternatively, use a security solution which has botnet protection such as Eset.
Banking Trojan Locks Users Out of Active Directory Domains https://www.bleepingcomputer.com/ne...-locks-users-out-of-active-directory-domains/
Another article on this recent AD Qbot version with some additional details here: http://www.securityweek.com/qbot-attacks-cause-active-directory-lockouts