14 DAY TRIAL // Security researchers from Symantec warn that Qakbot, an information stealing piece of malware, has registered an activity spike during April which continued into this month.
Qakbot dates back to 2009 and the main infection vector used by its creators are drive-by download attacks that exploit vulnerabilities in outdated software.
The piece of malware is technically a worm because it has self-propagation mechanisms that involve copying itself to network shares and removable drives.
Once running on a computer, the worm can download and execute additional files, steal and send information to its creators and open a backdoor for them to control the system.
The Symantec malware researchers who have monitored Qakbot for the past couple of years, recorded a significant spike in the malware's activity last month..
The worm's creators released new variants which were able to spread very quickly, peaking at almost 250,000 hits in the second half of April.
This activity was significantly different than that of similar malware, suggesting a renewed interest into this particular threat.
The researchers warn users, especially those in corporate environments where this worm thrives best, to be on the lookout for the Qakbot.
This threat can steal keystrokes, digital certificates, POP3 account passwords, and FTP credentials which are then uses to infect web pages with drive-by download code.
In addition, the malware also targets online banking session tokens which makes it similar in functionality to renowned banking trojans like ZeuS or SpyEye.
"Qakbot has the ability to remove 'logoff' links from client visibility for some banking sites, and subsequently extend active sessions," the Symantec specialists warn.
It hides its files and processes using a usermode rookit and it primarily targets financial data from customers of US-based financial institutions.
In one particular instance, Qakbot samples were digitally signed using a stolen legitimate key. This is a rare practice in the malware industry, but one that was also employed by the infamous Stuxnet industrial sabotage worm.