How the Qbot malware downed Melbourne Health's systems

Melbourne Health's networks were attacked earlier this week by a new variant of the Qbot malware, which infiltrated its systems via a zero-day exploit in the Windows XP operating system.

Late on Monday the health department discovered malicious software had infected Windows XP computers through Royal Melbourne Hospital's pathology department.

The malware downed the hospital's pathology systems and forced staff into manual workarounds to process blood tissue and urine samples.

The health IT team has since managed to restore services to the pathology unit, but was forced to fastrack its in-train operating system upgrade after the malware killed its Windows XP computers.

Qbot, or Qakbot, has been in existence since 2009 and affects Windows versions from XP to 7.

It typically attacks banking systems and can steal passwords and capture user keystrokes. The malware also adds the infected machine to a global botnet network of compromised computers.

It made its way into the health department through an unnamed zero-day exploit in Windows XP computers, past the agency's full enterprise antivirus suite.

Sources told iTnews the new variant of Qbot was far more difficult to detect than older versions. Qbot traditionally is able to block access to antivirus sites and delete itself if it is discovered on a virtual machine.

They said the new variant was more targeted to Windows 7 machines, and when attacking Windows XP computers, renders them unusable.

Melbourne Health had already begun a long-term upgrade of its Windows XP machines when the malware hit, and had converted around 2200 of its 4000 devices at the time of the attack.

It forced the department to fast-track its upgrade plans, and the department is now swapping XP for Windows 7 as an immediate priority.

iTnews understands Melbourne Health has opted for the out-of-support Windows 7 as opposed to newer versions of the OS to lessen the impact of cultural change within the organisation and ensure that certain medical software in use remains certified and licensed.

The department is still working towards restoring all systems.