Saturday, March 19, 2011

Nanaimo City Hall Virus Identified

Click Graphic To Enlarge
"Qakbot - Generation 4 Variant Identified"
In the Daily News, March 18, Per Kristensen, IT Director for the city said that the city computer network had been attacked by a fourth generation variant of the 'qakbot' virus which instantly spread to more than 440 computers at city hall. Mr. Kristensen is quoted as saying the insidious virus manages to hide itself, meaning that computers have to be scanned more than once to be sure. (He didn't explain how many times the virus can hide).
Mr. Kristensen has ensured the public that confidential data was not compromised, nor can anyone 'catch' the virus by visiting the city website.
Qakbot: A Prevalent Infostealing Malware
The above graphic which appears on the Trend Micro website graphically shows how this malware operates and what it's purpose is once installed on a computer.
It arrives on systems via by exploiting vulnerabilities, via network shares, visiting malicious sites, via other malware (dropped).
Once installed QAKBOT does the following:
  • It downloads updates and it's component files
  • It hides the files, processes, and registry entries it creates.
  • It modifies an existing registry entry.
  • It blocks access to certain antivirus websites
  • It uninstalls itself if found running on VM
  • It terminates programs that alert users of system crashes.
  • It sends and receives commands from a remote malicious user, thus compromising the system.
More information is available about this malware on the Trend Micro website HERE. Trend Micro claims that users of their product are protected from this threat via the Trend Micro Smart Detection Network. This virus was first seen in 2007.

The reason behind the use of this threat, according to Trend Micro:

QAKBOT is an information-stealing malware that monitors and logs information pertaining to finance-related websites. Through stealing the said information, the cybercriminals behind this attack can generate profit. This threat particularly became prevalent in Q4 2009 and Q4 2010, which is not surprising since people tend to shop more online during the holidays.


1 comment:

  1. How did this virus get into the city system? The IT people should be figuring out how it gained access, If a responsible person can be identified and they were using the internet connection for non-city related activities needs to receive a serious reprimand.


Your comment will appear after moderation before publishing,

Thank you for your comments.Any comment that could be considered slanderous or includes unacceptable language will be removed.

Thank you for participating and making your opinions known.