NHS hit by Qakbot infection

However, no evidence to show patient data stolen says Symantec

Over 1,000 NHS systems infected by botnet worm Qakbot

The NHS network has been hit by a botnet infection said to have compromised over 1,100 separate systems, say Symantec.

Called w32.Qakbot, the worm attempts to steal login details for file transfer protocol (FTP) accounts, and email logins which use post office protocol (POP) 3, like Google's Gmail, and internet message access protocol (IMAP).

On its Security Response blog, Symantec's Patrick Fitzgerald said: "we've tried to contact affected parties, but we have no evidence to show that any customer or patient data has been stolen."

Fitzgerald added that since the figures are based on log file evidence obtained from only two servers over two weeks, the actual numbers may be higher.

Symantec's security researchers monitored two of the botnet's FTP servers.

"The results are quite startling, over the course of one week we observed roughly 4GB of stolen information uploaded to these FTP servers," commented one researcher.

The stolen data includes online banking information, credit card information, social network credentials, internet mail credentials, and internet search histories.

Qakbot also targets browser Cookies, including Flash ones, which can't be deleted [unlike ordinary Cookies] through browser privacy controls.

Qakbot spreads by exploiting Internet Explorer and Quicktime flaws by installing malware on user's systems, they can then be spread across local networks.

The worm hides from view by using legitimate CPU processes, and Symantec's blog says that it also sends out the geographical location and browser information of the compromised computer to a pre-defined URL.

All traffic between the compromised system and Qakbot control servers is encrypted using secure sockets layer (SSL).

Symantec's recent Internet Security Threat Report 2010 pointed out that during 2009 and early 2010 there had been an increase in targeted attacks on corporate IT.

Symantec warned that, "since Qakbot also functions as a downloader, corporate environments compromised by Qakbot could find themselves defending a more serious attack if appropriate action is not taken now."