In 2007, IT security researchers at McAfee Labs discovered a malware called Pinkslipbot or Qakbot/QBot targeting banking users in the United States. Now, researchers have noticed that since 2016, a new variant of this malware (also known as Pinkslipbot) with its credential stealing and keylogging capabilities has been using millions of computers as its control servers even if its binaries were removed by the anti-virus security software of those devices.
The variant not only steals credentials but also downloads other Malware by opening a backdoor on an infected computer. The worrying part of it is that Pinkslipbot uses the infected device as HTTPS-based proxies to the actual control servers and steals over half-million records every day.
Pinkslipbot’s prime targets are unsuspecting users and large enterprises in the United States. The malware uses keyloggers, password stealers, and man-in-the-browser attacks to steal personal and financial data including emails, passwords, social security numbers (SSN), credit card numbers, digital certificates and online account credentials, etc.
The malware also controls a massive botnet of 500,000 infected machines, therefore, making it one of the most extensively used malware against the banking industry. Additionally, researchers found that Pinkslipbot uses universal plug and play (UPnP) networking protocols to remain stealthy while using IP addresses of infected devices linked to the malware server as HTTPS-based proxies to the actual control servers.
Sanchit Karve of McAfee Labs explains that:
“As UPnP assumes local applications and devices are trustworthy, it offers no security protections and is prone to abuse by any infected machine on the network. We have observed multiple Pinkslipbot control server proxies hosted on separate computers on the same home network as well as what appears to be a public Wi-Fi hotspot.”
As of now, it is unclear if an infected device can be turned into a proxy; however, researchers did mention three important factors determining the possible outcome. Those three factors are IP address located in North America, High-speed Internet connection, and Capability to open ports on an Internet gateway device using UPnP.
If a targeted machine has all three of the aforementioned components, Pinkslipbot looks for Internet gateway devices (IGD) and downloads a Trojan binary “tmp_{timestamp}.exe” to create a proxy component. When launched, the proxy component creates port-forwarding rules and that is when a targeted device can be used as a control server over HTTPS and move forward with further infections.
However as mentioned earlier thePinkslipbot malware remains active even if user’s antimalware software removes its binaries; their system can still be used for outside attacks. According to McAfee Labs:
“The port-forwarding rules created by Pinkslipbot are too generic to remove automatically without risking accidental network misconfigurations. And as most malware do not interfere with port-forwarding, antimalware solutions may not revert such changes. Unfortunately, this means that your computer may still be vulnerable to outside attacks even if your antimalware product has successfully removed all Pinkslipbot binaries from your system.
The good news is that McAfee Labs has released a free utility tool which detects Pinkslipbot control server proxy infections and removes malicious port mappings for the user. It is advised that users should refrain from downloading files from unknown emails, do not install third-party apps or software and change the default login and password of their Internet of Things (IoT) devices otherwise cyber criminals can use their devices as a botnet to carry out large-scale cyber attacks.