Password-Stealing Virus Proves Hard to Kill on Windows XP

A computer virus that targeted and successfully infected systems at Royal Melbourne Hospital in Australia –over two weeks ago – continues to relent on targeted Windows XP systems.

The Qbot virus is a strain of malware that is known to attack banking systems and capture keystrokes, like a key-logger program. Qbot or Qakbot was first discovered in 2009 and has routinely known to infect Windows machines. Affected versions range from Windows XP to Windows 7.

While it’s easy to dismiss the malware as one to affect legacy systems, zero-day exploits are still rife with Windows XP, even more-so after Microsoft recently discontinued support for the operating system.

It comes as little surprise then that the systems used at the Royal Melbourne Hospital’s pathology department fell prey to the malware. The damage was telling. The infection caused by the malware forced staff to manually process specimens such as blood, tissue and urine samples, as opposed to computer-aided testing and entries.

As revealed by The Age, an email sent by Associate Professor Denise Heinjus, Executive Director of Nursing Services and Allied Health read:

Please note that there will be delays in the Microbiology and Anatomical Pathology specimens.

The email also laid out a list of pointers and updates to staff, with some of them such as:

  • Noting the hospital’s food service was in interacting with nurses to ensure the right meals were being delivered to the right patients.
  • Reminding staff not to log into any password-secured websites such as Gmail, Facebook or bank accounts etc.
  • Staff computers that are on should not be turned off and vice versa.
  • Payroll was notably not affected but the health network’s website was under maintenance.
  • Elective surgeries were not affected.

Royal Melbourne Hospital is one of Melbourne’s largest hospital networks and its IT department subsequently worked toward curing the malware in the coming days.

However, reports surfacing today, nearly a fortnight after the malware was discovered on the hospital’s systems continues to exist and even ‘mutate.’

Speaking to 3AW news today, Melbourne Health chair Robert Doyle revealed:

We had one day in the last week where the virus mutated six times. We are down to quite small outbreaks now but we are trying to stop it talking across computers.

The virus exists to this day, although most hospital programs are back up and running, including systems in the affected pathology department. A statement put up by the hospital revealed that affected computers are running on Windows XP. Despite being one of Microsoft’s most successful operating systems ever, the company discontinued support and development for Windows 8 in January 2016.

NetMarketShare OS Feb16

Windows XP continues to be a widely used operating system, with 11.42% of all PCs running the now-defunct OS, according to NetMarketShare. Up until recently, it remained the second most popular version of Windows, with Windows 10 overtaking Windows XP in usage numbers. The scaling was achieved by the latest version of Windows only recently, despite the operating system being offered as a free upgrade for Windows users. With the cut-off date for the free upgrade approaching in July this year, Windows users are likely to flock toward Windows 10. For some, the time to upgrade may already be too late.

Featured image from Shutterstock and NetMarketShare.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.