Data-stealing worm found on 1,000 NHS computers

Security software firm Symantec has discovered a "significant infection" by the Qakbot worm on National Health Service (NHS) computers.

Once it has infected computers, Qakbot monitors for sensitive information and uploads the stolen data to an FTP server. Despite being a relatively small botnet, Symantec observed around 4GB of stolen data being uploaded when it monitored two servers over a two-week period.

The data included online banking and credit card information, internet search histories, login details for a number of social networks including Facebook, Twitter and Bebo, and webmail account details for the likes of Gmail and Yahoo.

According to Symantec, Qakbot has infiltrated a number of Government departments and large corporations despite being aimed mainly at home users. It found more than 100 compromised computers on a Brazilian regional government network.

But more alarming was the discovery that around 1,100 separate NHS computers spread over a number of subnets have been infected with the worm. And Symantec said the figure could be even higher given that it was gained by monitoring just a couple of servers for a short period of time.

The company said that while there was no evidence to show any customer or patient data had been compromised, the relatively poor security around Qakbot itself meant stolen information could easily by accessed by others, with the possibility of more serious attacks down the line.

"Whoever is behind Qakbot has not put much effort into securing the stolen information. Anyone with a sample of this threat who knows what they are doing will be able to access this data quite easily," Symantec's Patrick Fitzgerald wrote on the company's blog.

"At the time of this writing we have only observed Qakbot stealing consumer-based information, but since Qakbot also functions as a downloader, corporate environments compromised by Qakbot could find themselves defending a more serious attack if appropriate action is not taken now," he added.

Symantec pointed out that the worm could even have been uncovered by off-the-shelf security software raising questions over the strength of the security measures employed by the NHS.

Indeed, Symantec's advice on avoiding infection from Qakbot and other security threats centred around nothing more complex than making sure computers were protected by up-to-date antivirus software, and it also urged users to make sure their passwords were as secure as possible.

"What's clear from the data we have analysed is that people use bad habits for creating their passwords," the post added. "Use hard-to-guess passwords and please don't use the same password across many online services."