{
	"id": "64c40bd6-9405-4d64-bec4-ae8ec0fbff2e",
	"created_at": "2026-04-06T00:07:03.393695Z",
	"updated_at": "2026-04-10T13:11:38.100946Z",
	"deleted_at": null,
	"sha1_hash": "2fe9add1fab5c5c089b80f48434416fa4fd1353a",
	"title": "Qakbot Steals 2GB of Confidential Data per Week",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42067,
	"plain_text": "Qakbot Steals 2GB of Confidential Data per Week\r\nArchived: 2026-04-05 21:50:57 UTC\r\nOur previous blog entries about W32.Qakbot gave details about how the threat works, how it spreads, and its\r\ncapabilities for stealing information. This entry focuses on the scale and type of data Qakbot has been successful\r\nin acquiring.\r\nStealing data\r\nQakbot monitors compromised computers for sensitive information and uploads the stolen data to an FTP server.\r\nThe FTP server information is downloaded from the botnet and can change over time. Here is an example of a\r\nrecent FTP configuration:\r\nexec=!var ftphost_1=ftp.df[REMOVED]\r\nexec=!var ftphost_2=web1[REMOVED]\r\nexec=!var ftphost_3=ftp.su[REMOVED]\r\nexec=!var ftphost_4=ftp.ab[REMOVED]\r\nexec=!var ftphost_5=ftp.51[REMOVED]\r\nexec=!var ftphost_6=ftp.fan[REMOVED]\r\nWhile analyzing this threat we gained access to and closely monitored two of these FTP servers. The results are\r\nquite startling. Although Qakbot is a smaller botnet, over the course of two weeks we observed roughly four\r\ngigabytes of stolen information that was uploaded to these FTP servers. The data uploaded includes:\r\n•    Online banking information\r\n•    Credit card information\r\n•    Social network credentials: Facebook, Twitter, Orkut, Bebo, Adult FriendFinder, and more.\r\n•    Internet mail credentials: Hotmail, Gmail, Yahoo!, and more.\r\n•    Internet search histories\r\nQakbot records the contents of information that is stored and used by the AutoComplete feature. In a nutshell, if\r\nyour computer is compromised, every bit of information you type into your browser will be stolen.\r\nThe following image shows some stolen AutoComplete data:\r\n \r\nQakbot also steals detailed information about the computer on which it’s running:\r\n \r\nIndiscriminate targeting\r\nhttps://web.archive.org/web/20130530033754/http://www.symantec.com/connect/blogs/qakbot-steals-2gb-confidential-data-week\r\nPage 1 of 3\n\nOne unusual aspect of Qakbot is that even though its purpose is to steal information associated with home users, it\r\nhas also been successful at compromising computers in corporate environments as well as government\r\ndepartments. For instance, there are over 100 compromised computers on a Brazilian regional government\r\nnetwork. More alarmingly, the logs show that there is a significant Qakbot infection on a major national health\r\norganization network in the UK. This threat has managed to infect over 1,100 separate computers that are spread\r\nacross multiple subnets within their network. We have attempted to contact the affected parties and have no\r\nevidence to show that any customer or patient data has been stolen. Given that these figures are based on the\r\nevidence from logs obtained from only two servers over two weeks, the actual numbers may be higher.\r\nThis map shows the distribution of the infected hosts represented only by the information in FTP data. As you can\r\nsee, this botnet has coverage on a global scale:\r\n \r\nConsequences\r\nThe stolen data gives a snapshot of user activity at a given time, but because login credentials are also stolen,\r\nanyone in possession of this information can gain a far more complete view of a user’s life. For example, one\r\nwoman, after chatting on Facebook, bought some items online at the retailers Argos and WHSmith. She then\r\nposted updates about her activities on that day. If required, the attacker can then log in to the above sites and can\r\ngain access to the orders, which gives access to the home address where the items will be ultimately delivered.\r\nPersonal information including name, address, age, shopping habits, interests, friend lists, and photographs for this\r\nand other users has been compromised by Qakbot.\r\nAlso, whoever is behind Qakbot has not put much effort into securing the stolen information. Anyone with a\r\nsample of this threat who knows what they are doing will be able to access this data quite easily. At the time of\r\nthis writing we have only observed Qakbot stealing consumer-based information, but since Qakbot also functions\r\nas a downloader, corporate environments compromised by Qakbot could find themselves defending a more serious\r\nattack if appropriate action is not taken now.\r\nHow do I protect myself?\r\nSymantec users are protected from this threat by both our antivirus and IPS engines. The malicious binaries will\r\nbe detected as W32.Qakbot, while the IPS engine will detect malicious Qakbot downloads as HTTP W32 Qakbot\r\nFile Download Activity. More importantly, the IPS engine also detects and blocks attempts to upload stolen data to\r\nthe FTP servers as FTP W32.Qakbot Activity. This will help to prevent stolen data from reaching the attackers.\r\nEducation is always a powerful tool in the fight against any malware; our W32.Qakbot writeup on this threat gives\r\na great deal of information about it.\r\nIf you are reading this and are worried about malicious third parties gaining access to your online accounts, now\r\nwould be a good time to ensure that you change all of your passwords related to your online presence. What’s\r\nclear from the data we have analyzed is that people use bad habits for creating their passwords. Use hard-to-guess\r\npasswords and please don’t use the same password across many online services.\r\nSecurity Response is attempting to shut down the dump sites and command-and-control servers in order to neuter\r\ncurrent versions of Qakbot.\r\nhttps://web.archive.org/web/20130530033754/http://www.symantec.com/connect/blogs/qakbot-steals-2gb-confidential-data-week\r\nPage 2 of 3\n\n---------------------------------------------\r\nThanks to Nicolas Falliere for his work in reversing the format of the Qakbot log files.\r\nSource: https://web.archive.org/web/20130530033754/http://www.symantec.com/connect/blogs/qakbot-steals-2gb-confidential-data-week\r\nhttps://web.archive.org/web/20130530033754/http://www.symantec.com/connect/blogs/qakbot-steals-2gb-confidential-data-week\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20130530033754/http://www.symantec.com/connect/blogs/qakbot-steals-2gb-confidential-data-week"
	],
	"report_names": [
		"qakbot-steals-2gb-confidential-data-week"
	],
	"threat_actors": [],
	"ts_created_at": 1775434023,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2fe9add1fab5c5c089b80f48434416fa4fd1353a.pdf",
		"text": "https://archive.orkl.eu/2fe9add1fab5c5c089b80f48434416fa4fd1353a.txt",
		"img": "https://archive.orkl.eu/2fe9add1fab5c5c089b80f48434416fa4fd1353a.jpg"
	}
}