This blog was written by Sanchit Karve.
McAfee Labs has discovered that banking malware Pinkslipbot (also known as QakBot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product. These include home users whose computers are usually behind a network address translation router. To do so, Pinkslipbot uses universal plug and play (UPnP) to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine. As far as we know, Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers and the second executable-based malware to use UPnP for port forwarding after the infamous W32/Conficker worm in 2008.
Pinkslipbot is a notorious banking-credential harvester that has been active since 2007. It primarily targets users and enterprises located within the United States and includes components for password stealers, keyloggers, and man-in-the-browser attacks that are used as vectors to steal various kinds of information—including credit cards, social security numbers, online account credentials, email passwords, digital certificates, etc. Pinkslipbot controls a large botnet of more than 500,000 infected machines and steals over a half-million records every day. As a result, this malware has been documented extensively by the antimalware industry. The malware authors are clearly benefiting from Pinkslipbot; they have maintained the code base since 2007 and regularly add new features to it.
When Pinkslipbot resurfaced in December 2015, we analyzed the samples and published our findings at the Virus Bulletin Conference (VB2016) in October 2016. That report described its use of “ATSEngine” to automatically transfer money from bank accounts that belonged to infected users. At the time, Pinkslipbot was equipped with a domain generation algorithm with antisinkhole capabilities to locate its control server. After April 26, 2016, the malware sidelined the algorithm as a backup option in favor of a list of control server IP addresses embedded within every sample. Because many of the IP addresses belonged to legitimate organizations, we believed the malware authors intentionally included them to deter the cybersecurity industry from blacklisting all IP addresses en masse.
Turns out we were wrong in that assessment. We have discovered that the list of IP addresses consists solely of infected machines that serve as HTTPS-based proxies to the actual control servers. This setup (shown in the following diagram) is used to mask the real IP addresses of the Pinkslipbot control servers.
Figure 1: Layout of a typical Pinkslipbot control server.
Our VB2016 paper also showed how all server components (control server, JavaScript-download server, exploit kit servers) were interchangeable and contained the same functionality. This information continues to hold true with this new discovery. All control server-related information described as follows has been observed on other server components used by Pinkslipbot.
From infected machine to control server proxy
The exact procedure of determining whether an infected machine is eligible to be a control server proxy is unknown. However, we believe this decision depends on an infected machine’s satisfying a combination of three factors.
- IP address located in North America
- High-speed Internet connection
- Capability to open ports on an Internet gateway device using UPnP
To gauge the Internet connection speed, the malware downloads an image from Comcast’s Speed Test service from four locations in the United States.
- http://sanjose.speedtest.comcast.net/speedtest/random750x750.jpg?x={random}&y=1
- http://boston.speedtest.comcast.net/speedtest/random750x750.jpg?x={random}&y=1
- http://jacksonville.speedtest.comcast.net/speedtest/random750x750.jpg?x={random}&y=1
- http://houston.speedtest.comcast.net/speedtest/random750x750.jpg?x={random}&y=1
Once the downloads are complete, the results of the speed test are sent to the control server.
The Pinkslipbot binary then uses the miniupnpc library to issue a Simple Service Discovery Protocol packet and look for the following UPnP devices:
- urn:schemas-upnp-org:device:InternetGatewayDevice:1
- urn:schemas-upnp-org:service:WANIPConnection:1
- urn:schemas-upnp-org:service:WANPPPConnection:1
- upnp:rootdevice
Figure 2: Pinkslipbot’s device discovery over the Simple Service Discovery Protocol.
Once devices are discovered, their descriptions are downloaded to look for Internet gateway devices (IGD). This is done by looking for the service type urn:schemas-upnp-org:service:WANCommonInterfaceConfig: in the device description. The IGD is then checked for connectivity (for example, by calling the GetStatusInfo function on the device and confirming the returned response is “Connected”) and the external IP address is retrieved using the GetExternalIPAddress() function on the device.
Once an IGD is discovered, port-forwarding rules are created by using the AddPortMapping function on the IGD.
Figure 3: Disassembled code showing port mapping functionality.
The malware attempts to port-forward 27 internal and external ports, listed below.
- 443*
- 465*
- 990*
- 993
- 995*
- 1194
- 2078*
- 2083
- 2087
- 2222*
- 3389
- 6881
- 6882
- 6883
- 8443*
- 32100
- 32101
- 32102
- 32103*
- 50000
- 50001
- 50002
- 50003
- 50010
- 61200*
- 61201*
- 61202
The ports marked with a * are currently in use (as of June) by Pinkslipbot control servers.
If any port-forwarding request succeeds (and if other open ports are found), the malware saves the port number into a buffer and removes the port-mapping rule. The port-forwarding results are submitted to the control server using an HTTP POST request:
URL: hxxps://{control server-IP-Address}:{Port}/bot_serv
POST-DATA:
cmd=1&msg={obfuscated-string}&ports=993,80,465,21,50000,61200,61202
Based on this data, the malware author decides whether the infected machine can be used as a control server. Once an infected machine is selected, the “wgetexe” control server command (more accurately, command 25 using control server protocol Version 14) is issued to the infected machine to download a Trojan binary as “tmp_{timestamp}.exe.” This sample is responsible for the control server proxy communication, as we shall explain.
The downloaded Trojan is a dropper for the proxy component. It creates the following files either in %APPDATA% or %ALLUSERSPROFILE%, depending on the operating system.
- HardwareMonitor\hardwaremonitor.dll
- The proxy component
- HardwareMonitor\hardwaremonitor.ini
- Contains the Pinkslipbot BOTID stored under the field “n”
- Contains available ports for mapping stored under the field “prt”
The file hardwaremonitor.dll (originally created as supernode_con.dll by the malware authors) is created as a new “hwmon” service launched via calling an export function (HwmonServerMainNT or HwmonServerMain) using rundll32.exe. A firewall rule is also created for rundll32.exe.
When launched as a service, the proxy component creates port-forwarding rules (using the description “NAT-PMP {port} tcp”) just as with the original Pinkslipbot sample but it does not remove them this time. The infected machine can now be used as a control server over HTTPS. The proxy component at this stage will contact the real control server via one of its hardcoded proxy servers with the following HTTPS POST request:
URL: https://{proxy-IP}/gwsup
POST-DATA:n={BOTID}&rt={IsWinNT}&prt={UPnP-Forwarded-Port}&os={OS-Version}&ver={MajVer}.{MinVer} &upnp_stat={UPnP-Status}&upnp_descr={UPnP-Port-Forward-Description}
Once the infected machine receives a control server request from a new Pinkslipbot infection, it routes all traffic to the real control servers via an additional proxy using the popular libcurl URL transfer library. As with the original malware, the responses from the real control servers are parsed and digital signatures verified using a hardcoded RSA public key (using the MatrixSSL library). To mask its presence to the outside world, responses from the real control servers (which run Apache) are modified to look like they were hosted on a server running nginx Version 1.9.12.
Figure 4: A fake server name used by Pinkslipbot.
This step agrees with our previous findings from the VB2016 paper, in which we saw an nginx server responding with a specific error message (see Page 6) during control server communication that indicated the presence of a curl-based proxy server residing on Pinkslipbot control servers. However, at the time we were not sure how this was implemented or where the curl component resided. The presence of the same error message in the proxy component DLL confirms its purpose for responding to control server requests.
Figure 5: The missing component from 2016 has been identified based on the error message.
Two custom HTTP headers are also passed to the hardcoded proxy servers to indicate the IP address of the infected machine making the request and the Pinkslipbot BOTID of the infected machine serving as the proxy server.
Custom HTTP Header: | Description: |
X-FORWARDED-FOR-CLIENT | IP address of infected machine making a request. |
X-FORWARDED-FOR-GATEWAY2 | The Pinkslipbot BOTID of the infected machine serving as a control server proxy. |
Because the Pinkslipbot control server protocol is based on HTTPS, it needs a server-side certificate to operate. It gains this on the fly by generating new self-signed certificates for every new connection using the OpenSSL library built with libcurl. The generated certificates are issued random values for the following certificate attributes:
Certificate Attribute: | Description: |
C | Country |
ST | State |
L | Locality |
STREET | Street |
O | Organization |
OU | Organizational unit |
CN | Common name |
Figure 6: Server certificate generation code from Pinkslipbot.
The malware authors take some extra effort to make the generated certificates appear legitimate by ensuring that:
- The organization attribute ends with either Inc. or LLC.
- The common name attribute uses one of the following top-level domains:
- .com
- .net
- .org
- .biz
- .us
- .info
- .mobi
User recommendations
As UPnP assumes local applications and devices are trustworthy, it offers no security protections and is prone to abuse by any infected machine on the network. We have observed multiple Pinkslipbot control server proxies hosted on separate computers on the same home network as well as what appears to be a public Wi-Fi hotspot. The port-forwarding rules created by Pinkslipbot are too generic to remove automatically without risking accidental network misconfigurations. And as most malware do not interfere with port-forwarding, antimalware solutions may not revert such changes. Unfortunately, this means that your computer may still be vulnerable to outside attacks even if your antimalware product has successfully removed all Pinkslipbot binaries from your system. To ensure your computers are not unintentionally accessible from the Internet, we encourage you to download our free utility listed in the next section to look for Pinkslipbot control server proxy infections and remove malicious port mappings. Even without the UPnP elements, Pinkslipbot is still a dangerous Trojan capable of causing a lot of damage. A few years ago it gained attention for locking Active Directory while spreading over the network by brute-forcing network credentials. We recommend following the recommendations published in the McAfee Threat Advisory for W32/Pinkslipbot.
From a general cybersecurity perspective, we were surprised to see a banking Trojan use a complicated multistage proxy for HTTPS-based control server communication, especially considering that it uses UPnP to repurpose home user infections as control servers. Aside from a 2008 proof of concept created by security researchers and the W32/Conficker worm in 2009, information about malicious use of UPnP by malware is scarce. We expect this to change soon as more people use routers with built-in UPnP capabilities (enabled by default) than in 2008. Many Internet of Things devices work over UPnP and are steadily being installed and used by more people every day. As they become more ubiquitous, cybercriminals will see opportunities to use UPnP maliciously. We recommend that users keep tabs on their local port-forwarding rules and disable UPnP on their home routers unless they need it.
Pinkslipbot Control Server Proxy Detection and Port-Forwarding Removal Tool
If your system has been infected with W32/PinkSlipbot (Qakbot/QBot), your machine may still be serving as a control server proxy for the malware. Even if all malicious components have been removed by your security product, your computer may be vulnerable to attacks if it is accessible over the Internet. To help identify this vulnerability on your computer and network, we have developed a free port-forwarding detection and removal tool specific to this malware. This utility will also detect the Pinkslipbot control server proxy service if found and disable (though not remove) the service.
The tool can be downloaded here. By default, the tool operates in detect mode, in which no changes are made to your system or router configuration if malicious elements are found.
Figure 7: The McAfee Pinkslipbot Control Server Proxy Detection and Port-Forwarding Removal Tool operating in its default “detect only” mode.
If the tool finds malicious port-forwarding rules and malicious services, you may pass the “/del” command line argument to the tool to disable the malicious service and remove the port-forwarding rule.
Figure 8: McAfee Pinkslipbot Control Server Proxy Detection and Port-Forwarding Removal Tool operating in “detect and disable” mode.
Indicators of compromise
- One or more of these files:
- %APPDATA%\HardwareMonitor\hardwaremonitor.dll
- %ALLUSERSPROFILE%\HardwareMonitor\hardwaremonitor.dll
- %APPDATA%\HardwareMonitor\hardwaremonitor.ini
- %ALLUSERSPROFILE%\HardwareMonitor\hardwaremonitor.ini
- A service created with the name “hwmon” and binary path containing “rundll32.exe.”
- TCP port forwards enabled for one of these ports using description “NAT-PMP {port} tcp” and no expiration time:
- 443, 465, 990, 993, 995, 1194, 2078, 2083, 2087, 2222, 3389, 6881, 6882, 6883, 8443, 32100, 32101, 32102, 32103, 50000, 50001, 50002, 50003, 50010, 61200, 61201, 61202
- Connections from and to these IP addresses:
- 158.255.2.138
- 185.162.8.190
- 185.169.229.168
Sample hashes
- Proxy component droppers
- 22cf76f92aad53db1304dec026b834ad77d2272c7f2eaaabf299e953b98d570e
- c23fe9f3a3035edb6fa306c7545cfd05bb310d85983dda5914cd9650c13b41d3
- Proxy component DLL (internal name: supernode_con.dll)
- 730e9864795ed8d6538064551ab95505dff3e92dd67888bee323cb341b2420c6
- af25c5bed96e046ba1e25749ff51f0d8437a1ef66e469b4fd0348e372abc2f7f
- 6d174dd4f29da814170e8f7c40ecd80794e1c27d8d94741a79bd1bd6eb75ea62