McAfee Labs Threat Advisory W32/Pinkslipbot May 8, 2017 Summary The W32/Pinkslipbot worm can spread over network shares, downloading files and updating its software. Additionally, it can receive a backdoor command from its IRC command and control center. It attempts to steal user information and upload it to FTP sites. Aliases: o Qakbot o Akbot o Qbot Detailed information about the worm, its propagation, and mitigation are in the following sections: o o o o o o Infection and Propagation Vectors Characteristics and Symptoms Rootkit Behavior Restart Mechanism NTFS Folder Permission Alteration Getting Help from the McAfee Foundstone Services team Infection and Propagation Vectors There are two infection and propagation vectors that Pinkslipbot primarily uses to spread itself. Below is the description and mitigation for each one. Exploits Many Pinkslipbot infections had been reported to be propagated by exploiting web-related vulnerabilities. Known vulnerabilities used to propagate this threat include: o o o o o o Vulnerability in the Microsoft Data Access Components (MDAC) Function: o http://support.microsoft.com/kb/870669 o http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx Apple QuickTime RTSP URL Handler Stack-based Buffer Overflow: o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4673 o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015 Adobe getIcon Stack-based buffer overflow: o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927 MsVidCtl Overflow in Microsoft Video ActiveX Control: o http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0015 Adobe Reader and Acrobat CoolType.dll Font Parsing Buffer Overflow Vulnerability: o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883 Adobe Flash opaqueBackground Use After Free: o https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122 Mitigation McAfee recommends that all computer systems are updated with the latest vendor patches, not limited to the vulnerabilities mentioned above. In addition, restriction of scripting and browser plugins for document files and media players can also further mitigate risks of malware bypassing certain browser security. Network Shares Pinkslipbot is known to spread over open shares such as C$ and ADMIN$. If an open network share is found, Pinkslipbot related files are copied over to the share and executed remotely. Recent versions of Pinkslipbot attempt to log in to protected network shares for all available users using a dictionary-attack consisting of the passwords present in Appendix A, and infect machines through a remote service. Mitigation o o Enforce a strict password policy on all network shares and allow write permissions to only trusted accounts that need it. Ensure passwords from the dictionary above are not used by users. Though this may not apply to all Pinkslipbot variants, McAfee recommends that you turn off Autorun functionality (http://support.microsoft.com/kb/967715). USB and Removable Drives Pinkslipbot can also spread over removable drives. When the machine is infected, it will monitor for an attached drive. If found, it will create a copy of itself with the same filename of any directory on the drive. Mitigation: o o o o o o o Disable the Autorun feature on Windows. You can do this remotely using Windows Group Policies. Restrict the use of USB drives in mission-critical and server machines. Implement and test Access Protection Rules using VirusScan Enterprise to prevent writing of AUTORUN.INF files. Where possible, configure the perimeter and/or desktop firewall to restrict connections to the reported network ports, URLs, and domain names. Users who have been known to be infected should change their passwords. Always ensure you have the latest DATs installed for McAfee VirusScan product. For customers with McAfee Network Security Platform (NSP), we recommend that you enable the following attacks: o To detect the vulnerabilities being exploited by W32/Pinkslipbot: 0x40231a00 - HTTP: Apple QuickTime RTSP URL Buffer Overflow 0x4021dd00 - HTTP: Microsoft Internet Explorer ADODB.Stream Object File Installation o To detect W32/Pinkslipbot infected victims on the network: 0x48804e00 - BOT: Quakbot (PinkSlip) Traffic Detected Characteristics and Symptoms Description An executable (.exe) is downloaded as the result of an initial infection. The .exe contains an encrypted DLL and configuration file, which are dropped and utilized for initialization and injection. The DLL file is loaded into the .exe’s process memory. It sets up hooks (Rootkit Behavior section) in multiple processes for data gathering and information stealing purposes. Pinkslipbot also injects its DLL code into some processes such as: o o o o o o o o o iexplore.exe outlook.exe firefox.exe opera.exe skype.exe msnmsgr.exe yahoomessenger.exe chrome.exe msmsgs.exe The injected code then attempts to reach out to the Internet to gather other configuration files and updates. In older variants, configuration information was available via a password-protected ZIP archive with a static password "Hello999W0rld777". The .exe, DLL, and other configuration files are typically stored under a randomly named sub-folder within the following folder: o %AllUsersProfile%\Application Data\Microsoft\ The configuration file is encrypted. After decryption, it contains C&C and FTP Server information. The following is an example of such a decrypted configuration file: cc_server_port=16768 cc_server_pass=Ijadsnanunx56512 p2p_node_lst=http://bckp01.in/cgi-bin/ls1.pl ftphost_1=216.227.214.95:[email protected]:[Password]: ftphost_2=72.29.86.119:[email protected]:[Password]: ftphost_3=66.219.30.219:[email protected]:[Password]: ftphost_4=110.4.45.64:[email protected]:[Password]: ftphost_5=74.220.215.107:[email protected]:[Password]: update_conf_ver=908 ftphost_[number]=162.144.12.241: [email protected]: [Password]: When installed, a user mode rootkit hides these files from GUI-based applications. However, a cmd.exe listing would allow one to list the files. Some of the filenames observed on an infected system include: o o o o o o o o o o o o o o o o o o o o o o o o o o o o _qbotnti.exe q3.dll _qbotinj.exe q2l.exe q1.dll Start Menu\Programs\Startup\startup.bat si.txt File names containing "_irc" nbl_*.txt removeme.txt alias_qa.zip *_*.kcb alias__qbotnti.exe alias_si.txt alias__qbot.cb resume.doc sconnect.js alias_seclog.txt updates.cb updates_*new.cb _installed uninstall.tmp qbot.cb _qbot.cb [random].job Mpr.dll pagefile.sys.bak.txt [random].dll The malware has key logging, password stealing abilities, certificate stealing, and attempts to collect geographic, OS, IP, email addresses, URLs visited, and other system information. Such information is sent to compromised FTP hosts as shown below. As seen above, the malware uploads the stolen information in the file names seclog*.kcb and ps_dump.Administrator_*.kcb, with the latter one containing the stolen password information. Network connections may be made on the following network ports: o 80 o 21 o 443 o 2222 o 995 o 2078 o 31666 o 16666-16669 Network connections are known to be made to the following domains: o o o o o o o o o o o o o o o o o o o o o o hostrmeter.com boogiewoogiekid.com nt002.cn nt12.co.in nt14.co.in nt16.in hotbar.com cdcdcdcdc2121cdsfdfd.com up002.cn adserv.co.in up004.cn up01.co.in nt002.cn nt010.cn nt202.cn cdcdcdcdc2121cdsfdfd.com up02.co.in up03.in up003.com.ua nt15.in nt17.in swallowthewhistle.com o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o corpgift.in redserver.com.ua nt04.in nt06.in nt101.cn b.nt002.cn b.tn001.cn b.rtbn2.cn prstat.in citypromo.info du01.in du02.in yimg.com.ua spotrate.info ppcimg.in laststat.co.in bckp01.in googcnt.co.in soros.in.ua abirvalg.co.in googstat.info zumahdistr.in positivtkn.in.ua leavmauytdk.info ichangasudskfoe.org cupstuiakfuuasd.net zoas.kiev.ua olaum.kiev.ua zemaucn.org xuvmtbnz.net tebrizmausj.org In addition, it can also monitor traffic to URLs that contain the following: o o o o o o o o o o o o o o o o o o o o o o o iris.sovereignbank.com /wires/ paylinks.cunet.org securentrycorp.amegybank.com businessbankingcenter.synovus.com businessinternetbanking.synovus.com ocm.suntrust.com cashproonline.bankofamerica.com singlepoint.usbank.com netconnect.bokf.com business-eb.ibanking-services.com cashproonline.bankofamerica.com /cashplus/ ebanking-services.com /cashman/ web-cashplus.com treas-mgt.frostbank.com business-eb.ibanking-services.com treasury.pncbank.com access.jpmorgan.com tssportal.jpmorgan.com ktt.key.com onlineserv/CM o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o premierview.membersunited.org directline4biz.com .webcashmgmt.com Tmconnectweb moneymanagergps.com ibc.klikbca.com directpay.wellsfargo.com express.53.com itreasury.regions.com itreasurypr.regions.com cpw-achweb.bankofamerica.com businessaccess.citibank.citigroup.com businessonline.huntington.com /cmserver/ goldleafach.com ub-businessonline.blilk.com iachwellsprod.wellsfargo.com achbatchlisting /achupload commercial3.wachovia.com wc.wachovia.com commercial.wachovia.com wcp.wachovia.com chsec.wellsfargo.com wellsoffice.wellsfargo.com /stbcorp/ /payments/ach trz.tranzact.org /wiret /payments/ach cbs.firstcitizensonline.com /corpach/ .citigroup.com commercial2.wachovia.com commercial4.wachovia.com scotiaconnect.scotiabank.com webexpress.tdbank.com businessonline.tdbank.com /wcmpw/ /wcmpr/ /wcmtr/ /clkccm/ e-facts.org accessonline.abnamro.com abnamro.nl providentnjolb.com firstmeritib.com corporatebanking e-moneyger.com svbconnect.com each.bremer.com otm.suntrust.com tdetreasury.tdbank.com cmoltp.bbt.com cashmanageronline.bbt.com .hsbcnet.com ebc_ebc o o o o o o o o o o o o o o o o o o o o o o o o blilk.com bankeft.com cmol.bbt.com securentrycorp.zionsbank.com tmcb.zionsbank.com .web-access.com nj00-wcm commercial.bnc.ca /clkccm/ paylinks.cunet.org e-facts.org accessonline.abnamro.com providentnjolb.com firstmeritib.com corporatebanking firstmeritib.com/defaultcorp.aspx e-moneyger.com jsp/mainWeb.jsp svbconnect.com premierview.membersunited.org each.bremer.com ctm.53.com tcfexpressbusiness.com trz.tranzact.org During our investigation of multiple variants of this threat, we observed the following variations in the HTTP POST request and URLs sent to the C&C server: o o o o o o o o o o o o o o o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=bthes7664&it=3&b=18 http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=jpwel2451&it=2&b=6 http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cb http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates.cb http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cb http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/we.js?u=usoqc8673&v=piuv8 http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.zip&uninstall=ppozu1276 http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=zzekr1617&it=2&b=197//u/updates.cb http://<domain-name>/cgi-bin/jl/jloader.pl?loadfile=q/q2_force_exec_success http://<domain-name>/cgi-bin/jl/jloader.pl?loadfile=q/q2_irc_nick_ http://<domain-name>/cgi-bin/clientinfo3.pl?cookie=socks-1-1580-zevhd0018 http://<domain-name>/cgi-bin/clientinfo3.pl?cookie=sysinfo-0-1580-zevhd0018 hxxp://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=socks-0-1412-qpckb8049 hxxp://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-1-1412-qpckb8049 hxxp://swallowthewhistle.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-43-2716-fzrmj8460 Note: <domain-name> will vary based on the active C&C server. Pinkslipbot attempts to steal the following information from infected hosts: o o o o POP3, IMAP, NNTP, Email, SMTP Passwords Keystrokes Digital Certificates HTTP Session information Some newer samples were observed to have valid stolen digital signatures. A new variant of this bot tries to enumerate the following key to check AV products: • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall Rootkit Behavior Some variants of this malware have also been known to install a rootkit component to hide its presence, including its running process and registry entries. In such cases, the malware will be hidden from normal process viewers and registry editors such as Task Manager and regedit.exe. The following are system APIs that are hooked to accomplish this: o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o At the o o o o o ntdll.dll!NtQuerySystemInformation ntdll.dll!LdrLoadDll ntdll.dll!NtResumeThread ntdll.dll!ZwResumeThread kernel32.dll!GetProcAddress kernel32.dll!FindFirstFileA kernel32.dll!FindNextFileA kernel32.dll!FindFirstFileW kernel32.dll!FindNextFileW user32.dll!CharToOemBuffA user32.dll!GetClipboardData user32.dll!TranslateMessage advapi32.dll!RegEnumValueW advapi32.dll!RegEnumValueA ws2_32.dll!connect ws2_32.dll!send ws2_32.dll!WSASend ws2_32.dll!WSAConnect iphlpapi.dll!GetTcpTable iphlpapi.dll!AllocateAndGetTcpExTableFromStack wininet.dll!HttpSendRequestA wininet.dll!HttpSendRequestW wininet.dll!InternetReadFile wininet.dll!InternetReadFileA wininet.dll!InternetCloseHandle wininet.dll!InternetQueryDataAvailable wininet.dll!HttpOpenRequestA wininet.dll!HttpOpenRequestW wininet.dll!HttpSendRequestExW wininet.dll!InternetReadFileExA wininet.dll!InternetWriteFile dnsapi.dll!DnsQuery_A dnsapi.dll!DnsQuery_W dnsapi.dll!Query_Main time of research, some existing executables that it prevents hooking are: msdev.exe dbgview.exe mirc.exe ollydbg.exe ctfmon.exe Pinkslipbot prevents user DNS queries to resolve when connecting to sites containing the following strings: webroot agnitum ahnlab arcabit avast avg avira defender drweb emsisoft esafe eset etrust ewido Kaspersky malware mcafee microsoft networkassociates nod32 norman spyware sunbelt Symantec Threatexpert Trendmicro virus wilderssecurity avp bitdefender bit9 castlecops centralcommand clam av comodo computerassociates cpsecure fortinet f-prot f-secure gdata grisoft hacksoft hauri ikarus jotti k7computing Norton Panda Pctools Prevx quickheal rising rootkit securecomputing sophos spamhaus windowsupd clearclouddns Restart Mechanism Description Pinkslipbot executables accept the following parameters: /i – Drops a DLL and a configuration file /s – if passed with the configuration file, runs Pinkslipbot in service mode /t – terminate /c – if passed with an executable name, it would run the executable. /v – opens and listens to a port number specified in the parameter. As a restart mechanism, Pinkslipbot will attempt to modify an existing “Run” registry key to include its own .exe and DLL. The original executable pointed to by the “Run” key will be included in its “Run” Path and launched with a "/c" switch. As an example, it will modify an existing Run key such as: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Original] = [Path to Original] to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Original] = <random >.exe <random >.dll /c [Path to Original] In newer variants, the Run key may be modified to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Original] = <random>.exe /s <Pinkslipbot config file> In newer variants, a Windows Task Scheduler job is created to launch the malware: o %windir%\system32\schtasks.exe" /create /tn [TaskName] /tr [Path to Original] /sc HOURLY /mo 7 /F It also adds an entry in the HKCU run registry key to automatically execute itself at startup: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [random name] = [Path to Malware] It adds itself as a service for automatic execution: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<random name> Type dword:00000010 Start dword:00000002 ErrorControl dword:00000000 ImagePath <Malware Path and filename> /D DisplayName "Remote Procedure Call (RPC) Service" Link files have also been placed in user directories as a restart mechanism. A ‘.lnk’ file pointing to the executable is placed in a separate user’s directory. This user is one other than the user who initially executed the malware, such as below: %UserDir%\[Another User]\Start Menu\Programs\Startup\ vjoufy.lnk Pinkslipbot uses a second restart mechanism. It saves a JavaScript (JS) file in the Windows System32 folder. The name of this file is typically sconnect.js. Newer variants have random named JS files. A Windows Task Scheduler job is then created which launches this JS script. This job is scheduled to run hourly. The JS file is also crafted to connect to malicious sites to download an update to the Pinkslipbot components. The following is the task setup: o %windir%\system32\schtasks.exe" /create /tn [TaskName] /tr "%windir%\system32\cscript.exe //E:javascript [JavaScript File]" /sc HOURLY /mo 4 /ru In newer variants, JavaScript is kept at %LOCALAPPDATA%\Microsoft\<random>.wpl. This script checks for new versions of malware from the following URLs: • • • • • • • • hxxp://oe.zagorai3lan.com/viewtopic.php hxxp://w.abcwd0.seed.fastsecureservers.com/viewtopic.php hxxp://homemadebody.247affiliatemarketing.com/viewtopic.php hxxp://autoparts.perksautocare.com/viewtopic.php hxxp://a.new-date-world.com/viewtopic.php hxxp://projects.montgomerytech.com/TeaLeafTarget.php hxxp://n.abcwd0.seed.fastsecureservers.com/TeaLeafTarget.php hxxp://css.kbaf.myzen.co.uk The following is the new task setup: o %windir%\system32\schtasks.exe" /create /tn [TaskName] /tr "%windir%\system32\cscript.exe //E:javascript [JavaScript File]" /sc HOURLY /mo 15 /F Mitigation o o o Create and test a VirusScan Access Protection Rule (APR) to prevent cscript.exe and wscript.exe processes from reading and executing files from the %UserProfile% folder, where feasible. Create and test a VirusScan Access Protection Rule (APR) for “updates_*new.cb”, “upd_*.cb” and “updates*_new.cb”. These are usually used as Pinkslipbot configuration files. Blocking these files can prevent the malware from updating. Create and test a VirusScan Access Protection Rule (APR) to prevent cscript.exe and wscript.exe processes from reading and executing files from the %LOCALAPPDATA%\Microsoft\ folder, for “*.wpl”. These are usually JavaScript files. Blocking these files can prevent the malware from downloading a new version. NTFS Folder Permission Alteration Some variants of Pinkslipbot were observed to be modifying NTFS permissions for folders where security products are installed. This modification is possible only when Pinkslipbot is allowed to infect when the user is logged in with Administrator privileges. When successful, NTFS permissions for security-related folders are removed, such as access is prevented from administrators and system processes. Effectively, security products will not be allowed by the Windows operating system to run without the appropriate permissions. For example, the following McAfee folders are targeted: o o %AllUsersProfile%\Application Data\McAfee %ProgramFiles%\McAfee Because of this change, files running from these locations will have permissions denied by the Windows operating system. In some cases, there have been reports that Pinkslipbot has been disabling permissions from the %ProgramFiles% folder. In such cases, many common user applications would be impacted. Remediation o A custom Stinger tool is provided by McAfee Labs upon request to restore modified NTFS permissions. You must run the Stinger tool with a user account with Administrator privileges. It will restore the original NTFS permissions to allow McAfee programs to be loaded. o As an alternative, manual instructions to restore the folder’s permissions are as follows: 1. Open Windows Explorer as Administrator, and right-click the icon for the affected folder(s). 2. Click Properties to access the folder properties. 3. Under the Security tab, click Advanced, and then Owner. 4. Choose the Administrator as Owner (or some user with Administrator privilege). 5. Click OK when prompted to apply changes. 6. 7. 8. 9. Return to the Security tab under Properties. Click Advanced, and select Inherit from parent the permissions entries that apply to child objects. Click OK when prompted to apply changes. Reboot the infected machine to restart all critical services. Appendix A: Table of passwords used in brute-force 123 password Password letmein 1234 12345 123456 1234567 12345678 123456789 1234567890 qwerty love iloveyou princess pussy master monkey abc123 99999999 9999999 999999 99999 9999 999 99 9 88888888 8888888 888888 88888 8888 888 88 8 77777777 7777777 777777 77777 7777 777 77 7 66666666 6666666 666666 66666 6666 666 66 6 55555555 5555555 555555 55555 5555 555 55 5 44444444 4444444 444444 44444 4444 444 44 4 33333333 3333333 333333 33333 3333 333 33 3 22222222 2222222 222222 22222 2222 222 22 2 11111111 1111111 111111 11111 1111 111 11 1 00000000 0000000 00000 0000 000 00 0987654321 987654321 87654321 7654321 654321 54321 4321 321 21 12 super secret server computer owner backup database lotus oracle business manager temporary ihavenopass nothing nopassword nopass Internet internet example sample love123 boss123 work123 home123 mypc123 temp123 test123 qwe123 pw123 root123 pass123 pass12 pass1 admin123 admin12 admin1 password123 password12 password1 default foobar foofoo temptemp temp testtest test rootroot root fuck zzzzz zzzz zzz xxxxx xxxx xxx qqqqq qqqq qqq aaaaa aaaa aaa sql file web foo job home work intranet controller killer games private market coffee cookie forever freedom student account academia files windows monitor unknown anything letitbe domain access money campus explorer exchange customer cluster nobody codeword codename changeme desktop security secure public system shadow office supervisor superuser share adminadmin mypassword mypass pass Login login passwd zxcvbn zxcvb zxccxz zxcxz qazwsxedc qazwsx q1w2e3 qweasdzxc asdfgh asdzxc asddsa asdsa qweasd qweewq qwewq nimda administrator Admin admin a1b2c3 1q2w3e 1234qwer 1234abcd 123asd 123qwe 123abc 123321 12321 123123 James John Robert Michael William David Richard Charles Joseph Thomas Christopher Daniel Paul Mark Donald George Kenneth Steven Edward Brian Ronald Anthony Kevin Mary Patricia Linda Barbara Elizabeth Jennifer Maria Susan Margaret Dorothy Lisa Nancy Karen Betty Helen Sandra Donna Carol james john robert michael william david richard charles joseph thomas christopher daniel paul mark donald george kenneth steven edward brian ronald anthony kevin mary patricia linda barbara elizabeth jennifer maria susan margaret dorothy lisa nancy karen betty helen sandra donna carol baseball dragon football mustang superman 696969 batman trustno1 Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities. You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx © 2016 McAfee, Inc. All rights reserved.
© Copyright 2026 Paperzz