Slashdot Mirror

← Back to Stories (view on slashdot.org)

BAE Systems Warns About Shape-Shifting Strain of Qbot Malware (computerweekly.com)

Posted by msmash on from the visit-from-the-past dept.

Warwick Ashford, reporting for ComputerWeekly: Qbot malware will become a potent threat, facilitated by exploit kits for initial infection and automated to gain maximum victim count, warns BAE Systems. The incident response team at BAE Systems is warning of a strain of the virulent Qbot malware that has hit thousands of public sector computers around the world. The malware -- also known as the Qakbot botnet -- first appeared in 2009 and was uploading 2GB of stolen confidential information to its FTP servers each week by April 2010 from private and public sector computers, including 1,100 on the NHS network in the UK. A modified version of the malware has resurfaced that is believed to have infected more than 54,000 PCs in thousands of organisations around the world and added them to its botnet of compromised machines, with 85% of infections in the US.

20 comments

  1. bae is looking after you by Anonymous Coward · · Score: 0

    Who can you trust if not your BAE?

  2. Windows only by Anonymous Coward · · Score: 0

    Of course

  3. Shape-shifting my ass by Anonymous Coward · · Score: 3, Informative

    That's not shape-shifting malware. That's someone releasing a new version of the same malware. Real shape-shifting malware exists, but the term for it is polymorphism. It's been around for decades.

  4. Shape-shifting? by U2xhc2hkb3QgU3Vja3M · · Score: 3, Funny

    They should have named it Odo.

    1. Re: Shape-shifting? by Anonymous Coward · · Score: 1

      No, it's not Odo. It's a botnet, which sounds like the Great Link to me. It may be a Founder, but it's not Odo.

    2. Re: Shape-shifting? by Anonymous Coward · · Score: 0

      There's only one "Great Link" and he lives in Hyrule.

    3. Re: Shape-shifting? by Anonymous Coward · · Score: 0

      Grow a goatee and THEN come say that!

      Sisko FTW!

  5. Most of these malware articles are terrible. by Kludge · · Score: 5, Insightful

    Most of these malware articles are terrible. The articles don't mention the operating system, they don't mention the method or vulnerability being used to propagate. They are mostly useless for an administration who would want to stop such malware.

    1. Re:Most of these malware articles are terrible. by Fnord666 · · Score: 2

      Most of these malware articles are terrible. The articles don't mention the operating system, they don't mention the method or vulnerability being used to propagate. They are mostly useless for an administration who would want to stop such malware.

      If you are going to computerweekly for the information needed to help defend the systems that you administer, you're doing it wring.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    2. Re:Most of these malware articles are terrible. by Anonymous Coward · · Score: 0

      I think the point is that either the submitter or the editor is "doing it wrong" as they are giving useless links. I understand that we can search out better links on our own, but why should hundreds of us have to do that versus one submitter or editor doing it and giving us a useful link to start with?

    3. Re:Most of these malware articles are terrible. by fhage · · Score: 1
      It was a polymorphic Ad in the form of an article. An absolute goldmine for buzzword bingo, containing nothing of technical value.

      When I hit the JavaScript wall in front of a PDF download for the "whitepaper", I assumed the malware was confined to BAE supported systems and closed the page.

    4. Re:Most of these malware articles are terrible. by Anonymous Coward · · Score: 0

      BAE Systems caught me slippin

  6. Shape shifting strain of Qbot malware? by khz6955 · · Score: 1

    Do you mean, yet more malware that only runs on fully patched Microsoft Windows, including the latest version.

  7. something you don't want to hear: by Anonymous Coward · · Score: 1

    BAE : I've contracted a bout of malware. You might want to get yourself tested.

  8. Q*bert shapeshifting? by thoughtaboutit · · Score: 1

    My only comment is.... @!#?@!

  9. This is not "the holy terror" - easy to stop by Anonymous Coward · · Score: -1

    Cut indiscriminate javascript use everywhere & block its C&C using hosts files - DGA or not? It has to get its config from a CENTRAL server (RIG)... sites to block are as follows:

    0.0.0.0 sc.ghandiprobably.com
    0.0.0.0 ghandiprobably.com
    0.0.0.0 sf.cio-inspired.com
    0.0.0.0 cio-inspired.com
    0.0.0.0 godaddy.com
    0.0.0.0 mt.dynamicwords.us
    0.0.0.0 dynamicwords.us
    0.0.0.0 st.naughytimebooks.com
    0.0.0.0 naughytimebooks.com
    0.0.0.0 js.anthonybryanauthor.com
    0.0.0.0 anthonybryanauthor.com
    0.0.0.0 forumity.com
    0.0.0.0 www.ip-adress.com
    0.0.0.0 stat.nickspizzade.com
    0.0.0.0 rss.dimadimapress.com
    0.0.0.0 ip-adress.com
    0.0.0.0 nickspizzade.com
    0.0.0.0 dimadimapress.com
    0.0.0.0 forumity.com
    0.0.0.0 www.ip-adress.com
    0.0.0.0 stat.nickspizzade.com
    0.0.0.0 rss.dimadimapress.com
    0.0.0.0 ip-adress.com
    0.0.0.0 nickspizzade.com
    0.0.0.0 dimadimapress.com
    0.0.0.0 jekawtzb.net
    0.0.0.0 lbcoqzad.net
    0.0.0.0 kqzjcgrrflbvybuaejdexttlt.biz
    0.0.0.0 awtptzoblgkkdmfb.biz
    0.0.0.0 nbszdxmz.org
    0.0.0.0 gandhiprobably.com
    0.0.0.0 gilkeyphotography.com
    0.0.0.0 raymondelectronics.com
    0.0.0.0 iaahouston1.com
    0.0.0.0 simnewsdaily.com
    0.0.0.0 eaaforums.org

    1st is that "Rig Gate URL" & only the trailing stuff AFTER that site is what changes. Thus, even IF you had this thing inside your system already? It would begin to 'shit its pants' & die being unable to dynamically generate more.

    Blocking the entire domain due to that is a good idea, so thus, it's listed blocked up there in that list.

    Some of the "DGA" domains are up there, but not all. Those are still coming. Not that it matters. The main thing is to CUT the javascript CRAP off when & where possible since this thing needs it to operate.

    APK

    P.S.=> The reason I don't have a MORE complete list is that they did a VERY STUPID THING in the PDF from BAE, & put it into an IMAGE rather than straight text, so I am STILL TYPING hose in by hand here (you'll have to see the article yourself) per the source research article PDF from BAE systems (Hi, Lee)... apk

  10. It's there @ BAE, here's is what I got (complete) by Anonymous Coward · · Score: 1

    Start of the list of things to block (host-domain names) & cutting javascript-> https://yro.slashdot.org/comme... & here are the rest (finally):

    NOPE - can't do it... you can THANK the fools here for restricting my post length or characters per line STUPIDITY FILTERS they put in so you have to get them yourself now... thanks a lot, Logan Abott (you idiot).

    APK

    P.S.=> I feel the same as you do, but I learned you have to dig PAST the 'std. fare' articles in the news many times & go STRAIGHT to the horses' mouth for better more detailed info here (1st link is the FULL technical readout) https://resources.baesystems.c... ... apk

  11. (plus one Info8mative) by Anonymous Coward · · Score: -1, Flamebait

    to Die. I will jam

  12. rofl by Anonymous Coward · · Score: 0

    such fucking non-issue, stop using garbage operating systems from Redmond on my tax money. Install linux fucktards.

  13. BAE caught me slippin by Anonymous Coward · · Score: 0

    Bring back Snacks!