Professional Documents
Culture Documents
W32/Pinkslipbot
May 26, 2011
Summary
The W32/Pinkslipbot worm is capable of spreading over network shares, downloading files, and updating its
software. Additionally it is capable of receiving back door command from its IRC command and control
center. It attempts to steal user information and upload it to FTP sites.
Aliases:
Qakbot
Akbot
Qbot
Detailed information about the worm, its propagation, and mitigation are in the following sections:
Exploits
Many Pinkslipbot infections had been reported to be propagated by exploiting web related vulnerabilities.
Known vulnerabilities used to propagate this threat include:
Mitigation
It is recommended that all computer systems are updated with the latest vendor patches, not limited to the
vulnerabilities mentioned above.
In addition, restriction of scripting and browser plugins for document files and media players can also further
mitigate risks of malware bypassing certain browser security.
Network Shares
Pinkslipbot is known to spread over open shares such as C$ and ADMIN$. If an open network share is found,
Pinkslipbot related files are copied over to the share and executed remotely.
Mitigation
o Enforce a strict password policy on all network shares and allow write permissions to only trusted
accounts that need it.
o Though this may not apply to all Pinkslipbot variants, it is recommended to turn off Autorun
functionality (http://support.microsoft.com/kb/967715).
Mitigation:
o Disable the Autorun feature on Windows. You can do this remotely using Windows Group Policies.
o Restrict the use of USB drives in mission-critical and server machines.
o Implement and test Access Protection Rules using VirusScan Enterprise to prevent writing of
AUTORUN.INF files.
Prevalence Information
Following graph captures the prevalence information seen in field for W32/Pinkslipbot infections. This data is
captured from the McAfee Virus Map. The graph shows the daily distribution unique IP addresses reporting
infections for this threat in May 2011:
A quick view at distribution of these infections across countries concludes that W32/Pinkslipbot threat is
primarily dominant in US:
A Google map view (North America) for reported infections on Pinkslipbot in May 2011 is presented below:
W32/Pinkslipbot is known to evolve continuously. McAfee has seen many unique variants of this malware in
2011. Following graph captures week wise distribution of unique variants seen till date in 2011:
Description
An executable is downloaded as a result of an initial infection. The exe contains an encrypted DLL and
configuration file which are dropped and utilized for initialization and injection. The DLL file is loaded into the
exe’s process memory. It sets up hooks (Rootkit Behavior section) in multiple processes for data gathering
and information stealing purposes. Pinkslipbot also injects its DLL code into some processes such as:
o iexplore.exe
o outlook.exe
o firefox.exe
o opera.exe
o skype.exe
o msnmsgr.exe
o yahoomessenger.exe
o chrome.exe
o msmsgs.exe
The injected code then attempts to reach out to the Internet to gather other configuration files and updates.
In older variants, configuration information was available via a password protected ZIP archive with a static
password "Hello999W0rld777".
The Exe, DLL and other configuration files are typically stored under a randomly named sub folder within the
following folder:
o %AllUsersProfile%\Application Data\Microsoft\
The configuration file is encrypted. On decryption it contains C&C and FTP Server information. The following
is an example of such a decrypted configuration file:
cc_server_port=16768
cc_server_pass=Ijadsnanunx56512
p2p_node_lst=http://bckp01.in/cgi-bin/ls1.pl
ftphost_1=216.227.214.95:cpanel@silfersystem.com:[Password]:
ftphost_2=72.29.86.119:cpanel@gemini.com.co:[Password]:
ftphost_3=66.219.30.219:cpanel@falahuddarain.com:[Password]:
ftphost_4=110.4.45.64:cpanel@karnadya.com.my:[Password]:
ftphost_5=74.220.215.107:cpanel@incitylocal.com:[Password]:
update_conf_ver=908
Once installed, a user mode rootkit hides these files from GUI-based applications. A cmd.exe listing however,
would allow one to list the files.
o _qbotnti.exe
o q3.dll
o _qbotinj.exe
o q2l.exe
o q1.dll
o Start Menu\Programs\Startup\startup.bat
o si.txt
o File names containing "_irc"
o nbl_*.txt
o removeme.txt
o alias_qa.zip
o *_*.kcb
o alias__qbotnti.exe
o alias_si.txt
o alias__qbot.cb
o resume.doc
o sconnect.js
o alias_seclog.txt
o updates.cb
o updates_*new.cb
o _installed
o uninstall.tmp
o qbot.cb
o _qbot.cb
o [random].job
o Mpr.dll
The malware has key logging, password stealing abilities, certificate stealing, and attempts to collect
geographic, OS, IP, e-mail addresses, URLs visited, and other system information. Such information is sent
to compromised FTP hosts as shown below.
As seen above, the malware uploads the stolen information in the file names seclog*.kcb and
ps_dump.Administrator_*.kcb, with the latter one containing the stolen password information.
o hostrmeter.com
o boogiewoogiekid.com
o nt002.cn
o nt12.co.in
o nt14.co.in
o nt16.in
o hotbar.com
o cdcdcdcdc2121cdsfdfd.com
o up002.cn
o adserv.co.in
o up004.cn
o up01.co.in
o nt002.cn
o nt010.cn
o nt202.cn
o cdcdcdcdc2121cdsfdfd.com
o up02.co.in
o up03.in
o up003.com.ua
o nt15.in
o nt17.in
o swallowthewhistle.com
o hotbar.com
o redserver.com.ua
o nt04.in
o nt06.in
o nt101.cn
o b.nt002.cn
o b.tn001.cn
o b.rtbn2.cn
o prstat.in
o citypromo.info
o du01.in
o du02.in
o yimg.com.ua
o spotrate.info
o ppcimg.in
o laststat.co.in
o bckp01.in
In addition, it can also monitor traffic to URLs that contain the following:
o iris.sovereignbank.com
o /wires/
o paylinks.cunet.org
o securentrycorp.amegybank.com
o businessbankingcenter.synovus.com
o businessinternetbanking.synovus.com
o ocm.suntrust.com
o cashproonline.bankofamerica.com
o singlepoint.usbank.com
o netconnect.bokf.com
o business-eb.ibanking-services.com
o cashproonline.bankofamerica.com
o /cashplus/
o ebanking-services.com
o /cashman/
o web-cashplus.com
o treas-mgt.frostbank.com
o business-eb.ibanking-services.com
o treasury.pncbank.com
o access.jpmorgan.com
o tssportal.jpmorgan.com
o ktt.key.com
o onlineserv/CM
o premierview.membersunited.org
o directline4biz.com
o .webcashmgmt.com
o Tmconnectweb
o moneymanagergps.com
o ibc.klikbca.com
o directpay.wellsfargo.com
o express.53.com
o itreasury.regions.com
o itreasurypr.regions.com
o cpw-achweb.bankofamerica.com
o businessaccess.citibank.citigroup.com
o businessonline.huntington.com
o /cmserver/
o goldleafach.com
o ub-businessonline.blilk.com
o iachwellsprod.wellsfargo.com
o achbatchlisting
o /achupload
o commercial3.wachovia.com
o wc.wachovia.com
o commercial.wachovia.com
o wcp.wachovia.com
o chsec.wellsfargo.com
o wellsoffice.wellsfargo.com
o /stbcorp/
o /payments/ach
o trz.tranzact.org
o /wiret
o /payments/ach
o cbs.firstcitizensonline.com
o /corpach/
During our investigation of multiple variants of this threat, we observed following variations in the HTTP
POST request and URLs sent to the C&C server.
o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=bthes7664&it=3&b=18
o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=jpwel2451&it=2&b=6
o http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cb
o http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates.cb
o http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cb
o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/we.js?u=usoqc8673&v=piuv8
o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.zip&uninstall=ppozu1276
o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=zzekr1617&it=2&b=197//u/updates.cb
o http://<domain-name>/cgi-bin/jl/jloader.pl?loadfile=q/q2_force_exec_success
o http://<domain-name>/cgi-bin/jl/jloader.pl?loadfile=q/q2_irc_nick_
o http://<domain-name>/cgi-bin/clientinfo3.pl?cookie=socks-1-1580-zevhd0018
o http://<domain-name>/cgi-bin/clientinfo3.pl?cookie=sysinfo-0-1580-zevhd0018
o http://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=socks-0-1412-qpckb8049
o http://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-1-1412-qpckb8049
o http://swallowthewhistle.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-43-2716-fzrmj8460
Some newer samples were observed to have valid stolen digital signatures.
Mitigation
o Where possible, configure the perimeter and/or desktop firewall to restrict connections to the
reported network ports, URLs and domain names.
o Users who have been known to be infected should change their passwords.
o Always ensure you have the latest DATs installed for McAfee Virus Scan Product. The latest DAT at
the time this document was updated is DAT 6354.
o For customers with McAfee Network Security Platform (NSP) product we recommend to enable the
following attacks.
o To detect the vulnerabilities being exploited by W32/Pinkslipbot:
0x40231a00 - HTTP: Apple QuickTime RTSP URL Buffer Overflow
0x4021dd00 - HTTP: Microsoft Internet Explorer ADODB.Stream Object File
Installation
o To detect W32/Pinkslipbot infected victims on the network:
0x48804e00 - BOT: Quakbot (PinkSlip) Traffic Detected
Rootkit Behavior
Some variants of this malware have also been known to install a rootkit component to hide its presence,
including its running process and registry entries. In such cases, the malware will be hidden from normal
process viewers and registry editors such as Task Manager and regedit.exe. The following are system APIs
that are hooked to accomplish this:
o ntdll.dll!NtQuerySystemInformation
o kernel32.dll!GetProcAddress
o kernel32.dll!FindFirstFileA
o kernel32.dll!FindNextFileA
o kernel32.dll!FindFirstFileW
o kernel32.dll!FindNextFileW
o user32.dll!CharToOemBuffA
o user32.dll!GetClipboardData
o advapi32.dll!RegEnumValueW
o advapi32.dll!RegEnumValueA
o ws2_32.dll!connect
o ws2_32.dll!send
o ws2_32.dll!WSASend
o ws2_32.dll!WSAConnect
o iphlpapi.dll!GetTcpTable
o iphlpapi.dll!AllocateAndGetTcpExTableFromStack
o wininet.dll!HttpSendRequestA
o wininet.dll!HttpSendRequestW
o wininet.dll!InternetReadFile
o wininet.dll!InternetReadFileA
o wininet.dll!InternetCloseHandle
o wininet.dll!InternetQueryDataAvailable
o wininet.dll!HttpOpenRequestA
o wininet.dll!HttpOpenRequestW
o dnsapi.dll!DnsQuery_A
o dnsapi.dll!DnsQuery_W
At the time of research, some existing executables that it prevents hooking are:
o msdev.exe
o dbgview.exe
o mirc.exe
o ollydbg.exe
o ctfmon.exe
Pinkslipbot prevents user DNS queries to resolve when connecting to sites containing the following strings:
Restart Mechanism
Description
Pinkslipbot executables accept the following parameters:
As a restart mechanism, Pinkslipbot will attempt to modify an existing “Run” registry key to include its own
EXE and DLL. The original executable pointed to by the “Run” key will be included in its “Run” Path and
launched with a "/c" switch.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[Original] = [Path to Original]
to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[Original] = <random >.exe <random >.dll /c [Path to Original]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[Original] = <random>.exe /s <Pinkslipbot config file>
Pinkslipbot uses a second restart mechanism. It saves a JavaScript (JS) file in the Windows System32 folder.
The name of this file is typically sconnect.js. Newer variants have random named JS files.
A Windows Task Scheduler job is then created which launches this JS script. This job is scheduled to run
hourly. The JS file is also crafted to connect to malicious sites to download an update to the Pinkslipbot
components. The following is the task setup:
Mitigation
o Create and test a VirusScan Access Protection Rule (APR) to prevent cscript.exe and wscript.exe
processes from reading and executing files from the %UserProfile% folder, where feasible.
o Create and test a VirusScan Access Protection Rule (APR) for “updates_*new.cb”, “upd_*.cb” and
“updates*_new.cb”. These are usually used as Pinkslipbot configuration files. Blocking these files can
prevent the malware from updating.
When successful, NTFS permissions for security related folders are removed, such as access is prevented
from administrators and system processes. Effectively, security products will not be allowed by the Windows
Operating System to run without the appropriate permissions.
o %AllUsersProfile%\Application Data\McAfee
o %ProgramFiles%\McAfee
Due to this change, files running from these locations will have permissions denied by the Windows
Operating System. In some cases there have been reports that PinkslipBot has been disabling permissions
from the %ProgramFiles% folder. In such cases many common user applications would be impacted.
Mitigation
Users should not be logged in with administrative privileges for daily use, except to perform specific
administrator tasks. This helps deny the malware from altering folder and system permissions.
Remediation
o A custom Stinger tool is provided by McAfee Labs upon request to restore modified NTFS
permissions. You must run the Stinger tool with a user account with Administrator privileges. It will
restore the original NTFS permissions to allow McAfee programs to be loaded.