Fresh wave of mutating Qakbot malware brings down enterprise networks

Discussion in 'malware problems & news' started by hawki, May 23, 2017.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,061
    Location:
    DC Metro Area
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Isn't there anything these places can do to prevent all these different intrusions to interrupt?

    The shear number of such events seem to be spiking! at ever climbing record rate.
     
  3. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,553
    Location:
    USA still the best. But barely.
    I was going to ask something similar. Here goes.

    Are these companies just stupid, lazy & cheap? Or is malware so very hard & expensive to stop?
     
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,061
    Location:
    DC Metro Area
    Option 1:

    paper, pencils, erasers, ledger books, hard, yellow-lined spread sheets, 500 bookeepers, 250 accountants, 200 secretaries, 50 security gards, 25 security dogs, 300 copy machines, 200 printers, 50 coffee makers, 5,000 file cabinets, etc, etc.

    Option 2:

    Background Checks to purchase, own, or operate a computer, including Mandatory, International Standard Psychopath Screenings.

    Technology has consequences.
     
    Last edited: May 23, 2017
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    According to Microsoft:
    https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Qakbot.T

    So, exploit protection would be the first step. A good signature detection AV product with botnet protection will help. Monitor executable startups from %AppData% will help. Etc., etc..
     
  6. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,061
    Location:
    DC Metro Area
    A little self-promotion, BUT:

    "Perspectives:

    Organizations with some of the best-in-class prevention system are demonstrating that they cannot reliably stop Qakbot.

    New malware strain is going undetected by signature-based systems

    While moving laterally the malware changes itself making it hard to detect and stop [server-side polymorphism which allows the malware to mutate rapidly, circumventing signature-based antivirus systems while on the move.]

    The web exploits utilized legitimate looking java scripts and are bypassing security prevention systems."

    https://attivonetworks.com/qakbotmalware/

    "...'While it's unclear why so many systems have suddenly fallen victim to Qakbot, it's possible that updated exploit kits play a role,' Cylance says. 'After all, there is no shortage of new vulnerabilities and exploits for attackers to use to their advantage.'.."

    http://www.zdnet.com/article/fresh-wave-of-qakbot-malware-brings-down-enterprise-networks/

    There are simply too many vulnerabilities to be found by brilliant, mis-guided geeks, backed by the resources of large, multinational criminal enterprises, to stop this stuff. Patch one hole and a new hole breaks open.

    The CEO of the company who develops a dynamic catch-all for ever-evolving and increasingly complex and sophisticted attacks, compounded by the problem of human fallibility at the endpoint, will amass a fortune large enough to rub shoulders with Bill Gates and Jeff Bezos.
     
    Last edited: May 24, 2017
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Not really, variants of Qakbot can be detected using "generic" signatures.

    The AV product should have a browser javascript scanner.

    As far as self-promotion goes, note the source of the article - Cylance.
     
  8. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,061
    Location:
    DC Metro Area
    Yeah, I know and the other stuff is from a company that claims to have a platform that blocks, remediates Qakbot :)

    But itman, hawk's gut says that you appear to be making too light of this -- is it really that simple to stop, and if it is, why the ressurgence?

    As Easter and zapjb, and now hawki ask -- are all the the new Qakbot victims simply incompetent??

    I am not "in the business" but I would, perhaps foolishly, assume some basic level of competence on endpoint networked systems.
     
    Last edited: May 23, 2017
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Notice the reference to "infected networks." Malware is most likely targeting gateway servers.
     
  10. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,061
    Location:
    DC Metro Area
    Yeah - Ok. And...? LOL - [Don't overlook the fact you are replying to a dumb-looking bunny rabbitt who still is trying to figure out who framed his cousin Roger :) ]
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    More like patch one hole and a series of others suddenly surface. Makes you wonder if makers of this stuff just keep an inventory of unused vulnerabilities so that when something gets patched, they move that one to the back-burner for further study and unwrap the next.

    Quite the assembly line of a well coordinated system on their end. From the looks of things lately it seems to be getting easier for them then harder and the AV industry as usual appeared tied down into cat and mouse routine always trying to catch up.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Per Trend Micro: https://success.trendmicro.com/solution/1058159 , it recommends using SmartScreen(browser based of course) as a mitigation. Makes sense since SS's rep blacklist probably contains the IP addresses associated with bot providers it is using. Alternatively, use a security solution which has botnet protection such as Eset.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    http://www.securityweek.com/qbot-infects-thousands-new-campaign
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Banking Trojan Locks Users Out of Active Directory Domains
    https://www.bleepingcomputer.com/ne...-locks-users-out-of-active-directory-domains/
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.