In the process of clearing out the infection, our researchers uncovered an international network of tens of thousands of computers, many in public bodies such as police departments and hospitals, all feeding information back to a shadowy network of cyber criminals.
First identified in 2009, Qbot spreads by hijacking the built-in administration tools in Windows, hopping from machine to machine using a simple technique. For the sake of convenience, the administrator passwords that allow helpdesk staff to make changes to PCs are often the same across tens, hundreds or even thousands of PCs in an organisation. Steal the admin details once, and you can often take control of a whole network. The updated version of Qbot incorporated several new tricks and tactics that boosted its power.
But there was a catch – it also crashed old PCs.
As computer operating systems go, Windows XP is very old. When the attack spread to those computers still running XP, the malicious code crashed them instead of infecting them. Public bodies, often running on tight budgets, frequently resort to using hardware and software long past its use-by date because the disruption and cost associated with upgrading them can be prohibitive, and must be balanced against the risk of them becoming infected.
In the days that followed the outbreak, the BAE Systems incident response team uncovered a sophisticated attempt by cyber criminals to hide the malware from detection using polymorphism, sandbox-awareness and a domain generation algorithm to escape detection and evade attempts to take down the infrastructure.
BAE Systems also uncovered Qbot’s international network of infected machines within thousands of different organisations, running to over 54,000 PCs. Some of the organisations that fell victim – most of which were public institutions including police departments, hospitals and universities - had infections running to over a thousand computers.