McAfee Labs Threat Advisory Pinkslipbot

8/6/2019 McAfee Labs Threat Advisory Pinkslipbot

1/10

McAfee Labs Threat AdvisoryW32/ Pinkslipbot

May 26, 2011

SummaryThe W32/Pinkslipbot worm is capable of spreading over network shares, downloading files, and updating itssoftware. Additionally it is capable of receiving back door command from its IRC command and controlcenter. It attempts to steal user information and upload it to FTP sites.

Aliases: Qakbot Akbot Qbot

Detailed information about the worm, its propagation, and mitigation are in the following sections:

Infection and Propagation Vectors Prevalence Information Characteristics and Symptoms Rootkit Behavior Restart Mechanism NTFS Folder Permission Alteration Getting Help from the McAfee Foundstone Services team

Infection and P ropagation VectorsThere are two infection and propagation vectors that Pinkslipbot primarily uses to spread itself. Below are thedescription and mitigation for each one.

ExploitsMany Pinkslipbot infections had been reported to be propagated by exploiting web related vulnerabilities.Known vulnerabilities used to propagate this threat include:

o Vulnerability in the Microsoft Data Access Components (MDAC) Functiono http://support.microsoft.com/kb/870669 o http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

o Apple Quicktime RTSP URL Handler Stack-based Buffer Overflowo http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4673 o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015

o Adobe getIcon Stack-based buffer overflow

o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927 o MsVidCtl Overflow in Microsoft Video ActiveX Control

o http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0015 o Adobe Reader and Acrobat CoolType.dll Font Parsing Buffer Overflow Vulnerability

o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883

MitigationIt is recommended that all computer systems are updated with the latest vendor patches, not limited to thevulnerabilities mentioned above.

In addition, restriction of scripting and browser plugins for document files and media players can also furthermitigate risks of malware bypassing certain browser security.


2/10


3/10

A Google map view (North America) for reported infections on Pinkslipbot in May 2011 is presented below:

W32/Pinkslipbot is known to evolve continuously. McAfee has seen many unique variants of this malware in2011. Following graph captures week wise distribution of unique variants seen till date in 2011:

Characteristics and Symptoms

DescriptionAn executable is downloaded as a result of an initial infection. The exe contains an encrypted DLL andconfiguration file which are dropped and utilized for initialization and injection. The DLL file is loaded into theexes process memory. It sets up hooks (Rootkit Behavior section) in multiple processes for data gatheringand information stealing purposes. Pinkslipbot also injects its DLL code into some processes such as:


4/10

o iexplore.exeo outlook.exeo firefox.exeo opera.exeo skype.exeo msnmsgr.exeo yahoomessenger.exeo chrome.exeo msmsgs.exe

The injected code then attempts to reach out to the Internet to gather other configuration files and updates.In older variants, configuration information was available via a password protected ZIP archive with a staticpassword "Hello999W0rld777".

The Exe, DLL and other configuration files are typically stored under a randomly named sub folder within thefollowing folder:

o %AllUsersProfile%\Application Data\Microsoft\

The configuration file is encrypted. On decryption it contains C&C and FTP Server information. The followingis an example of such a decrypted configuration file:

cc_server_port=16768

cc_server_pass=Ijadsnanunx56512p2p_node_lst=http://bckp01.in/cgi-bin/ls1.plftphost_1=216.227.214.95:[email protected]:[Password]:ftphost_2=72.29.86.119:[email protected]:[Password]:ftphost_3=66.219.30.219:[email protected]:[Password]:ftphost_4=110.4.45.64:[email protected]:[Password]:ftphost_5=74.220.215.107:[email protected]:[Password]:update_conf_ver=908

Once installed, a user mode rootkit hides these files from GUI-based applications. A cmd.exe listing however,would allow one to list the files.

Some of the filenames observed on an infected system include:

o _qbotnti.exeo q3.dllo _qbotinj.exeo q2l.exeo q1.dllo Start Menu\Programs\Startup\startup.bato si.txto File names containing "_irc"o nbl_*.txto removeme.txto alias_qa.zipo *_*.kcb

o alias__qbotnti.exeo alias_si.txto alias__qbot.cbo resume.doco sconnect.jso alias_seclog.txto updates.cbo updates_*new.cbo _installedo uninstall.tmpo qbot.cbo _qbot.cb


5/10

o [random].jobo Mpr.dll

The malware has key logging, password stealing abilities, certificate stealing, and attempts to collectgeographic, OS, IP, e-mail addresses, URLs visited, and other system information. Such information is sentto compromised FTP hosts as shown below.

As seen above, the malware uploads the stolen information in the file names seclog*.kcb andps_dump.Administrator_*.kcb, with the latter one containing the stolen password information.

Network connections may be made on the following network ports:o 80o 21o 31666o 16666-16669

Network connections are known to be made to the following domains:

o hostrmeter.como boogiewoogiekid.como nt002.cno nt12.co.ino nt14.co.ino nt16.ino hotbar.como cdcdcdcdc2121cdsfdfd.como up002.cno adserv.co.ino up004.cno up01.co.ino nt002.cno nt010.cno nt202.cno cdcdcdcdc2121cdsfdfd.como up02.co.ino up03.ino up003.com.ua


6/10

o nt15.ino nt17.ino swallowthewhistle.como hotbar.como redserver.com.uao nt04.ino nt06.ino nt101.cno b.nt002.cno b.tn001.cno b.rtbn2.cno prstat.ino citypromo.infoo du01.ino du02.ino yimg.com.uao spotrate.infoo ppcimg.ino laststat.co.ino bckp01.in

In addition, it can also monitor traffic to URLs that contain the following:

o iris.sovereignbank.como /wires/o paylinks.cunet.orgo securentrycorp.amegybank.como businessbankingcenter.synovus.como businessinternetbanking.synovus.como ocm.suntrust.como cashproonline.bankofamerica.como singlepoint.usbank.como netconnect.bokf.como business-eb.ibanking-services.como cashproonline.bankofamerica.como /cashplus/o ebanking-services.como /cashman/o web-cashplus.como treas-mgt.frostbank.como business-eb.ibanking-services.como treasury.pncbank.como access.jpmorgan.como tssportal.jpmorgan.como ktt.key.como onlineserv/CMo premierview.membersunited.orgo directline4biz.como .webcashmgmt.como Tmconnectwebo moneymanagergps.como ibc.klikbca.como directpay.wellsfargo.como express.53.como itreasury.regions.como itreasurypr.regions.como cpw-achweb.bankofamerica.como businessaccess.citibank.citigroup.com


7/10

o businessonline.huntington.como /cmserver/o goldleafach.como ub-businessonline.blilk.como iachwellsprod.wellsfargo.como achbatchlistingo /achuploado commercial3.wachovia.como wc.wachovia.como commercial.wachovia.como wcp.wachovia.como chsec.wellsfargo.como wellsoffice.wellsfargo.como /stbcorp/o /payments/acho trz.tranzact.orgo /wireto /payments/acho cbs.firstcitizensonline.como /corpach/

During our investigation of multiple variants of this threat, we observed following variations in the HTTPPOST request and URLs sent to the C&C server.

o http://< domain-name> /cgi-bin/jl/jloader.pl?r=q/qa.bin&n=bthes7664&it=3&b=18o http://< domain-name> /cgi-bin/jl/jloader.pl?r=q/qa.bin&n=jpwel2451&it=2&b=6o http://< domain-name> /cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cbo http://< domain-name> /cgi-bin/jl/jloader.pl?u=u/updates.cbo http://< domain-name> /cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cbo http://< domain-name> /cgi-bin/jl/jloader.pl?r=q/we.js?u=usoqc8673&v=piuv8o http://< domain-name> /cgi-bin/jl/jloader.pl?r=q/qa.zip&uninstall=ppozu1276o http://< domain-name> /cgi-bin/jl/jloader.pl?r=q/qa.bin&n=zzekr1617&it=2&b=197//u/updates.cbo http://< domain-name> /cgi-bin/jl/jloader.pl?loadfile=q/q2_force_exec_successo http://< domain-name> /cgi-bin/jl/jloader.pl?loadfile=q/q2_irc_nick_o http://< domain-name> /cgi-bin/clientinfo3.pl?cookie=socks-1-1580-zevhd0018o http://< domain-name> /cgi-bin/clientinfo3.pl?cookie=sysinfo-0-1580-zevhd0018o http://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=socks-0-1412-qpckb8049o http://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-1-1412-qpckb8049o http://swallowthewhistle.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-43-2716-fzrmj8460

Note: vary based on the active C&C server.

Pinkslipbot attempts to steal the following information from infected hosts:

o POP3, IMAP, NNTP, Email, SMTP Passwordso Keystrokes

o Digital Certificateso HTTP Session information

Some newer samples were observed to have valid stolen digital signatures.

Mitigation

o Where possible, configure the perimeter and/or desktop firewall to restrict connections to thereported network ports, URLs and domain names.

o Users who have been known to be infected should change their passwords.o Always ensure you have the latest DATs installed for McAfee Virus Scan Product. The latest DAT at

the time this document was updated is DAT 6354.o For customers with McAfee Network Security Platform (NSP) product we recommend to enable the


8/10

following attacks.o To detect the vulnerabilities being exploited by W32/Pinkslipbot:

0x40231a00 - HTTP: Apple QuickTime RTSP URL Buffer Overflow 0x4021dd00 - HTTP: Microsoft Internet Explorer ADODB.Stream Object File

Installationo To detect W32/Pinkslipbot infected victims on the network:

0x48804e00 - BOT: Quakbot (PinkSlip) Traffic Detected

Rootkit BehaviorSome variants of this malware have also been known to install a rootkit component to hide its presence,including its running process and registry entries. In such cases, the malware will be hidden from normalprocess viewers and registry editors such as Task Manager and regedit.exe. The following are system APIsthat are hooked to accomplish this:

o ntdll.dll!NtQuerySystemInformationo kernel32.dll!GetProcAddresso kernel32.dll!FindFirstFileAo kernel32.dll!FindNextFileAo kernel32.dll!FindFirstFileWo kernel32.dll!FindNextFileWo user32.dll!CharToOemBuffA

o user32.dll!GetClipboardDatao advapi32.dll!RegEnumValueWo advapi32.dll!RegEnumValueAo ws2_32.dll!connecto ws2_32.dll!sendo ws2_32.dll!WSASendo ws2_32.dll!WSAConnecto iphlpapi.dll!GetTcpTableo iphlpapi.dll!AllocateAndGetTcpExTableFromStacko wininet.dll!HttpSendRequestAo wininet.dll!HttpSendRequestWo wininet.dll!InternetReadFileo

wininet.dll!InternetReadFileAo wininet.dll!InternetCloseHandleo wininet.dll!InternetQueryDataAvailableo wininet.dll!HttpOpenRequestAo wininet.dll!HttpOpenRequestWo dnsapi.dll!DnsQuery_Ao dnsapi.dll!DnsQuery_W

At the time of research, some existing executables that it prevents hooking are:o msdev.exeo dbgview.exeo mirc.exeo ollydbg.exeo ctfmon.exe

Pinkslipbot prevents user DNS queries to resolve when connecting to sites containing the following strings:

webrootagnitumahnlabarcabitavastavgaviraavpbitdefender

defenderdrwebemsisoftesafeesetetrustewidofortinetf-prot

Kasperskymalwaremcafeemicrosoftnetworkassociatesnod32normanNortonPanda

spywaresunbeltSymantecThreatexpertTrendmicroviruswilderssecuritywindowsupd


9/10

bit9castlecopscentralcommandclamavcomodocomputerassociatescpsecure

f-securegdatagrisofthacksofthauriikarusotti

k7computing

PctoolsPrevxquickhealrisingrootkitsecurecomputingsophosspamhaus

Restart Mechanism

DescriptionPinkslipbot executables accept the following parameters:

/i Drops a DLL and a configuration file /s if passed with the configuration file, runs Pinkslipbot in service mode /t terminate /c if passed with a executable name, it would run the executable.

As a restart mechanism, Pinkslipbot will attempt to modify an existing Run registry key to include its ownEXE and DLL. The original executable pointed to by the Run key will be included in its Run Path andlaunched with a "/c" switch.

As an example, it will modify an existing Run key such as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Original] = [Path to Original]

to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Original] = .exe .dll /c [Path to Original]

In newer variants, the Run key may be modified to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Original] = .exe /s

Pinkslipbot uses a second restart mechanism. It saves a JavaScript (JS) file in the Windows System32 folder.The name of this file is typically sconnect.js . Newer variants have random named JS files.

A Windows Task Scheduler job is then created which launches this JS script. This job is scheduled to runhourly. The JS file is also crafted to connect to malicious sites to download an update to the Pinkslipbotcomponents. The following is the task setup:

o %windir%\system32\schtasks.exe" /create /tn [TaskName] /tr "%windir%\system32\cscript.exe //E:javascript [JavaScript File]" /sc HOURLY /mo 4 /ru

Mitigation

o Create and test a VirusScan Access Protection Rule (APR) to prevent cscript.exe and wscript.exeprocesses from reading and executing files from the %UserProfile% folder, where feasible.

o Create and test a VirusScan Access Protection Rule (APR) for updates_*new.cb, upd_*.cb and updates*_new.cb. These are usually used as Pinkslipbot configuration files. Blocking these files canprevent the malware from updating.

NTFS Folder P ermission AlterationAround December 2010, new variants of Pinkslipbot were observed to be modifying NTFS permissions forfolders where security products are installed. This modification is possible only when Pinkslipbot is allowed toinfect when the user is logged in with Administrator privileges.

When successful, NTFS permissions for security related folders are removed, such as access is preventedfrom administrators and system processes. Effectively, security products will not be allowed by the Windows


10/10

Operating System to run without the appropriate permissions.

For example, the following McAfee folders are targeted:

o %AllUsersProfile%\Application Data\McAfeeo %ProgramFiles%\McAfee

Due to this change, files running from these locations will have permissions denied by the WindowsOperating System. In some cases there have been reports that PinkslipBot has been disabling permissionsfrom the %ProgramFiles% folder. In such cases many common user applications would be impacted.

MitigationUsers should not be logged in with administrative privileges for daily use, except to perform specificadministrator tasks. This helps deny the malware from altering folder and system permissions.

Remediationo A custom Stinger tool is provided by McAfee Labs upon request to restore modified NTFS

permissions. You must run the Stinger tool with a user account with Administrator privileges. It willrestore the original NTFS permissions to allow McAfee programs to be loaded.

o As an alternative, manual instructions to restore the folders permissions are as follows:1. Open Windows Explorer as Administrator and right-click the icon for the affected folder(s).2. Click into Properties to access the folder properties.3. Under the Security tab, click Advanced, then Owner.4. Choose the Administrator as Owner (or some user with Administrator privilege).5. Click OK when prompted to apply changes.6. Return to the Security tab under Properties again.7. Click Advanced, and select Inherit from parent the permissions entries that apply to child

objects.8. Click OK when prompted to apply changes.

o Reboot the infected machine to restart all critical services.

Getting Help from the McA fee Foundstone Services teamThis document is intended to provide a summary of current intelligence and best practices to ensure thehighest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers afull range of strategic and technical consulting services that can further help to ensure you identify securityrisk and build effective solutions to remediate security vulnerabilities.

You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx

2011 McAfee, Inc. All rights reserved.

Documents

McAfee Labs Threat Advisory Pinkslipbot