Security researchers at McAfee Labs have spotted a new strain of the Pinkslipbot banking malware (also known as QakBot/QBot) that leverages UPnP to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine even if they are behind a network address translation router.
“To do so, Pinkslipbot uses universal plug and play (UPnP) to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine. As far as we know, Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers and the second executable-based malware to use UPnP for port forwarding after the infamous W32/Conficker worm in 2008.” states the analysis shared by Mcafee.
Pinkslipbot, aka, Qbot first appeared in 2009 when was detected by Symantec, recent variants implement new features, including an advanced evasion technique.
Qbot, is a data stealer worm with backdoor capabilities, it is used to recruit infected machines in a credential-harvesting botnet.
Experts noticed that Pinkslipbot uses UPnP to provide the path to the targets, it infects machines that provide HTTPS servers from IP addresses listed in the malware. These machines serve as HTTPs proxies that route the path to an additional layer of HTTPs proxies, this technique allows masquerading the IP address of the real C&C server.
“We have discovered that the list of IP addresses consists solely of infected machines that serve as HTTPS-based proxies to the actual control servers. This setup (shown in the following diagram) is used to mask the real IP addresses of the Pinkslipbot control servers.” states the analysis.
The malware checks the target’s connection using a Comcast Internet speed tester, the test is possible only with US IP addresses. If the target passes the speed test, the malware then taps on UPnP ports to check the available services. The malicious code checks 27 ports to see if it can map them to the outside world.
It is still unclear the exact procedure of determining whether an infected machine is eligible to be a control server proxy.
“Malware researchers believe the choice depends on an infected machine’s satisfying a combination of three factors.
Once detected available ports, the malware infects a machine behind the firewall and establish a permanent port mapping to route the traffic, and works as a C&C proxy.
Infected machines at the first level of proxy use the libcurl library to pass information to the second-layer which then route the traffic to the “real” C&C servers.
“Once the infected machine receives a control server request from a new Pinkslipbot infection, it routes all traffic to the real control servers via an additional proxy using the popular libcurl URL transfer library. ” continues the analysis.
To prevent Pinkslipbot infection users should “keep tabs on their local port-forwarding rules” and should turn UPnP off if they don’t need it.
(Security Affairs – Pinkslipbot malware, botnet)