Skip to main content

New version of the dangerous Qbot virus discovered

Security researchers from BAE Systems have spotted a new strain of the Qbot virus, which is extremely difficult to spot and even harder to eliminate.

The new strain of the virus, which has so far infected more than 54,000 PCs across the world, has been spotted in early 2016, after it attacked a public sector organisation and infected 500 machines.

BAE Systems managed to analyse the new strain and uncovered a couple of interesting changes.

First of all, the new Qbot is a shape-shifter. It has a 'shape changing', or 'polymorphic' code – every time it gets installed, it is recompiled with additional content. That way, it's very hard for antivirus programs to spot it, as they're looking for specific signatures.

The second interesting thing is that the virus has automated updates happening every six hours, outpacing security programs.

The malware also seems to be testing if it's in a sandbox environment or not. Sandboxing is a practice usually used to spot malware before it reaches a system.

Qbot mostly targets public sector organisations such as law enforcement agencies or hospitals, and security researchers are warning everytone to take precausonary measures and protect themselves.

“Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks. In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organisation to the spreading problem,“ said Adrian Nish, head of Cyber Threat Intelligence at BAE Systems.

Image credit: fotogestoeber / Shutterstock