National Health Service system infected with data-stealing worm

The not-so-new and easily detectable Qakbot worm has compromised over a thousand machines within the UK’s National Health Service computer system, say Symantec researchers.

The Qakbot worm spreads through web pages with Javascript that tries to exploit vulnerabilities in Microsoft IE and Apple Quick Time. When the exploit is successful, malicious miles get installed on it in the user profile data directory.

Qakbot’s main goal is to collect information – credit card information, online credentials, search histories, and other – and upload it to FTP servers, where they are made available to the creator(s) of the worm. It hides its presence and actions behind legitimate processes, and it is able to download updates for itself in several different ways. It spreads over network shares.

Symantec researchers have been following two of the six FTP servers to which the data is sent, and during a period of two weeks, some 4 GB of data was uploaded to them. “Given that these figures are based on the evidence from logs obtained from only two servers over two weeks, the actual numbers may be higher,” they say.

“One unusual aspect of Qakbot is that even though its purpose is to steal information associated with home users, it has also been successful at compromising computers in corporate environments as well as government departments,” muse the researchers. The NHS is just one example; some 100 compromised computers have also been detected on a Brazilian regional government network.

The researchers have no evidence about medical records being stolen at this time, but warn that it’s not only the information stealing that the users should be worried about. The Qakbot has also downloader functions that can be used to further infect the machines with other malware.