McAfee Labs Threat Advisory W32/Pinkslipbot

May 8, 2017

Summary The W32/Pinkslipbot worm can spread over network shares, downloading files and updating its software. Additionally, it can receive a backdoor command from its IRC command and control center. It attempts to steal user information and upload it to FTP sites. Aliases:

o Qakbot o Akbot o Qbot

Detailed information about the worm, its propagation, and mitigation are in the following sections:

o Infection and Propagation Vectors o Characteristics and Symptoms o Rootkit Behavior o Restart Mechanism o NTFS Folder Permission Alteration o Getting Help from the McAfee Foundstone Services team

Infection and Propagation Vectors There are two infection and propagation vectors that Pinkslipbot primarily uses to spread itself. Below is the description and mitigation for each one. Exploits Many Pinkslipbot infections had been reported to be propagated by exploiting web-related vulnerabilities. Known vulnerabilities used to propagate this threat include:

o Vulnerability in the Microsoft Data Access Components (MDAC) Function: o http://support.microsoft.com/kb/870669 o http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

o Apple QuickTime RTSP URL Handler Stack-based Buffer Overflow: o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4673 o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015

o Adobe getIcon Stack-based buffer overflow: o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927

o MsVidCtl Overflow in Microsoft Video ActiveX Control: o http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0015

o Adobe Reader and Acrobat CoolType.dll Font Parsing Buffer Overflow Vulnerability: o http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883

o Adobe Flash opaqueBackground Use After Free: o https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122

Mitigation McAfee recommends that all computer systems are updated with the latest vendor patches, not limited to the vulnerabilities mentioned above.

In addition, restriction of scripting and browser plugins for document files and media players can also further mitigate risks of malware bypassing certain browser security. Network Shares Pinkslipbot is known to spread over open shares such as C$ and ADMIN$. If an open network share is found, Pinkslipbot related files are copied over to the share and executed remotely. Recent versions of Pinkslipbot attempt to log in to protected network shares for all available users using a dictionary-attack consisting of the passwords present in Appendix A, and infect machines through a remote service. Mitigation

o Enforce a strict password policy on all network shares and allow write permissions to only trusted accounts that need it. Ensure passwords from the dictionary above are not used by users.

o Though this may not apply to all Pinkslipbot variants, McAfee recommends that you turn off Autorun functionality (http://support.microsoft.com/kb/967715).

USB and Removable Drives Pinkslipbot can also spread over removable drives. When the machine is infected, it will monitor for an attached drive. If found, it will create a copy of itself with the same filename of any directory on the drive.

Mitigation:

o Disable the Autorun feature on Windows. You can do this remotely using Windows Group Policies. o Restrict the use of USB drives in mission-critical and server machines. o Implement and test Access Protection Rules using VirusScan Enterprise to prevent writing of

AUTORUN.INF files. o Where possible, configure the perimeter and/or desktop firewall to restrict connections to the

reported network ports, URLs, and domain names. o Users who have been known to be infected should change their passwords. o Always ensure you have the latest DATs installed for McAfee VirusScan product. o For customers with McAfee Network Security Platform (NSP), we recommend that you enable the

following attacks: o To detect the vulnerabilities being exploited by W32/Pinkslipbot:

0x40231a00 - HTTP: Apple QuickTime RTSP URL Buffer Overflow 0x4021dd00 - HTTP: Microsoft Internet Explorer ADODB.Stream Object File

Installation o To detect W32/Pinkslipbot infected victims on the network:

0x48804e00 - BOT: Quakbot (PinkSlip) Traffic Detected

Characteristics and Symptoms Description An executable (.exe) is downloaded as the result of an initial infection. The .exe contains an encrypted DLL and configuration file, which are dropped and utilized for initialization and injection. The DLL file is loaded into the .exe’s process memory. It sets up hooks (Rootkit Behavior section) in multiple processes for data gathering and information stealing purposes. Pinkslipbot also injects its DLL code into some processes such as:

o iexplore.exe o outlook.exe o firefox.exe o opera.exe o skype.exe o msnmsgr.exe o yahoomessenger.exe o chrome.exe o msmsgs.exe

The injected code then attempts to reach out to the Internet to gather other configuration files and updates. In older variants, configuration information was available via a password-protected ZIP archive with a static password "Hello999W0rld777". The .exe, DLL, and other configuration files are typically stored under a randomly named sub-folder within the following folder:

o %AllUsersProfile%\Application Data\Microsoft\

The configuration file is encrypted. After decryption, it contains C&C and FTP Server information. The following is an example of such a decrypted configuration file:

cc_server_port=16768 cc_server_pass=Ijadsnanunx56512 p2p_node_lst=http://bckp01.in/cgi-bin/ls1.pl ftphost_1=216.227.214.95:cpanel@silfersystem.com:[Password]: ftphost_2=72.29.86.119:cpanel@gemini.com.co:[Password]: ftphost_3=66.219.30.219:cpanel@falahuddarain.com:[Password]: ftphost_4=110.4.45.64:cpanel@karnadya.com.my:[Password]: ftphost_5=74.220.215.107:cpanel@incitylocal.com:[Password]: update_conf_ver=908 ftphost_[number]=162.144.12.241: wpadmin@raymondelectronics.com: [Password]:

When installed, a user mode rootkit hides these files from GUI-based applications. However, a cmd.exe listing would allow one to list the files. Some of the filenames observed on an infected system include:

o _qbotnti.exe o q3.dll o _qbotinj.exe o q2l.exe o q1.dll o Start Menu\Programs\Startup\startup.bat o si.txt o File names containing "_irc" o nbl_*.txt o removeme.txt o alias_qa.zip o *_*.kcb o alias__qbotnti.exe o alias_si.txt o alias__qbot.cb o resume.doc o sconnect.js o alias_seclog.txt o updates.cb o updates_*new.cb o _installed o uninstall.tmp o qbot.cb o _qbot.cb o [random].job o Mpr.dll o pagefile.sys.bak.txt o [random].dll

The malware has key logging, password stealing abilities, certificate stealing, and attempts to collect geographic, OS, IP, email addresses, URLs visited, and other system information. Such information is sent to compromised FTP hosts as shown below.

As seen above, the malware uploads the stolen information in the file names seclog*.kcb and ps_dump.Administrator_*.kcb, with the latter one containing the stolen password information. Network connections may be made on the following network ports:

o 80 o 21 o 443 o 2222 o 995 o 2078 o 31666 o 16666-16669

Network connections are known to be made to the following domains:

o hostrmeter.com o boogiewoogiekid.com o nt002.cn o nt12.co.in o nt14.co.in o nt16.in o hotbar.com o cdcdcdcdc2121cdsfdfd.com o up002.cn o adserv.co.in o up004.cn o up01.co.in o nt002.cn o nt010.cn o nt202.cn o cdcdcdcdc2121cdsfdfd.com o up02.co.in o up03.in o up003.com.ua o nt15.in o nt17.in o swallowthewhistle.com

o corpgift.in o redserver.com.ua o nt04.in o nt06.in o nt101.cn o b.nt002.cn o b.tn001.cn o b.rtbn2.cn o prstat.in o citypromo.info o du01.in o du02.in o yimg.com.ua o spotrate.info o ppcimg.in o laststat.co.in o bckp01.in o googcnt.co.in o soros.in.ua o abirvalg.co.in o googstat.info o zumahdistr.in o positivtkn.in.ua o leavmauytdk.info o ichangasudskfoe.org o cupstuiakfuuasd.net o zoas.kiev.ua o olaum.kiev.ua o zemaucn.org o xuvmtbnz.net o tebrizmausj.org

In addition, it can also monitor traffic to URLs that contain the following:

o iris.sovereignbank.com o /wires/ o paylinks.cunet.org o securentrycorp.amegybank.com o businessbankingcenter.synovus.com o businessinternetbanking.synovus.com o ocm.suntrust.com o cashproonline.bankofamerica.com o singlepoint.usbank.com o netconnect.bokf.com o business-eb.ibanking-services.com o cashproonline.bankofamerica.com o /cashplus/ o ebanking-services.com o /cashman/ o web-cashplus.com o treas-mgt.frostbank.com o business-eb.ibanking-services.com o treasury.pncbank.com o access.jpmorgan.com o tssportal.jpmorgan.com o ktt.key.com o onlineserv/CM

o premierview.membersunited.org o directline4biz.com o .webcashmgmt.com o Tmconnectweb o moneymanagergps.com o ibc.klikbca.com o directpay.wellsfargo.com o express.53.com o itreasury.regions.com o itreasurypr.regions.com o cpw-achweb.bankofamerica.com o businessaccess.citibank.citigroup.com o businessonline.huntington.com o /cmserver/ o goldleafach.com o ub-businessonline.blilk.com o iachwellsprod.wellsfargo.com o achbatchlisting o /achupload o commercial3.wachovia.com o wc.wachovia.com o commercial.wachovia.com o wcp.wachovia.com o chsec.wellsfargo.com o wellsoffice.wellsfargo.com o /stbcorp/ o /payments/ach o trz.tranzact.org o /wiret o /payments/ach o cbs.firstcitizensonline.com o /corpach/ o .citigroup.com o commercial2.wachovia.com o commercial4.wachovia.com o scotiaconnect.scotiabank.com o webexpress.tdbank.com o businessonline.tdbank.com o /wcmpw/ o /wcmpr/ o /wcmtr/ o /clkccm/ o e-facts.org o accessonline.abnamro.com o abnamro.nl o providentnjolb.com o firstmeritib.com o corporatebanking o e-moneyger.com o svbconnect.com o each.bremer.com o otm.suntrust.com o tdetreasury.tdbank.com o cmoltp.bbt.com o cashmanageronline.bbt.com o .hsbcnet.com o ebc_ebc

o blilk.com o bankeft.com o cmol.bbt.com o securentrycorp.zionsbank.com o tmcb.zionsbank.com o .web-access.com o nj00-wcm o commercial.bnc.ca o /clkccm/ o paylinks.cunet.org o e-facts.org o accessonline.abnamro.com o providentnjolb.com o firstmeritib.com o corporatebanking o firstmeritib.com/defaultcorp.aspx o e-moneyger.com o jsp/mainWeb.jsp o svbconnect.com o premierview.membersunited.org o each.bremer.com o ctm.53.com o tcfexpressbusiness.com o trz.tranzact.org

During our investigation of multiple variants of this threat, we observed the following variations in the HTTP POST request and URLs sent to the C&C server:

o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=bthes7664&it=3&b=18 o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=jpwel2451&it=2&b=6 o http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cb o http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates.cb o http://<domain-name>/cgi-bin/jl/jloader.pl?u=u/updates_usoqc8673.cb o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/we.js?u=usoqc8673&v=piuv8 o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.zip&uninstall=ppozu1276 o http://<domain-name>/cgi-bin/jl/jloader.pl?r=q/qa.bin&n=zzekr1617&it=2&b=197//u/updates.cb o http://<domain-name>/cgi-bin/jl/jloader.pl?loadfile=q/q2_force_exec_success o http://<domain-name>/cgi-bin/jl/jloader.pl?loadfile=q/q2_irc_nick_ o http://<domain-name>/cgi-bin/clientinfo3.pl?cookie=socks-1-1580-zevhd0018 o http://<domain-name>/cgi-bin/clientinfo3.pl?cookie=sysinfo-0-1580-zevhd0018 o hxxp://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=socks-0-1412-qpckb8049 o hxxp://zurnretail.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-1-1412-qpckb8049 o hxxp://swallowthewhistle.com/cgi-bin/clientinfo3.pl?cookie=sysinfo-43-2716-fzrmj8460

Note: <domain-name> will vary based on the active C&C server.

Pinkslipbot attempts to steal the following information from infected hosts:

o POP3, IMAP, NNTP, Email, SMTP Passwords o Keystrokes o Digital Certificates o HTTP Session information

Some newer samples were observed to have valid stolen digital signatures.

A new variant of this bot tries to enumerate the following key to check AV products:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

Rootkit Behavior Some variants of this malware have also been known to install a rootkit component to hide its presence, including its running process and registry entries. In such cases, the malware will be hidden from normal process viewers and registry editors such as Task Manager and regedit.exe. The following are system APIs that are hooked to accomplish this:

o ntdll.dll!NtQuerySystemInformation o ntdll.dll!LdrLoadDll o ntdll.dll!NtResumeThread o ntdll.dll!ZwResumeThread o kernel32.dll!GetProcAddress o kernel32.dll!FindFirstFileA o kernel32.dll!FindNextFileA o kernel32.dll!FindFirstFileW o kernel32.dll!FindNextFileW o user32.dll!CharToOemBuffA o user32.dll!GetClipboardData o user32.dll!TranslateMessage o advapi32.dll!RegEnumValueW o advapi32.dll!RegEnumValueA o ws2_32.dll!connect o ws2_32.dll!send o ws2_32.dll!WSASend o ws2_32.dll!WSAConnect o iphlpapi.dll!GetTcpTable o iphlpapi.dll!AllocateAndGetTcpExTableFromStack o wininet.dll!HttpSendRequestA o wininet.dll!HttpSendRequestW o wininet.dll!InternetReadFile o wininet.dll!InternetReadFileA o wininet.dll!InternetCloseHandle o wininet.dll!InternetQueryDataAvailable o wininet.dll!HttpOpenRequestA o wininet.dll!HttpOpenRequestW o wininet.dll!HttpSendRequestExW o wininet.dll!InternetReadFileExA o wininet.dll!InternetWriteFile o dnsapi.dll!DnsQuery_A o dnsapi.dll!DnsQuery_W o dnsapi.dll!Query_Main

At the time of research, some existing executables that it prevents hooking are: o msdev.exe o dbgview.exe o mirc.exe o ollydbg.exe o ctfmon.exe

Pinkslipbot prevents user DNS queries to resolve when connecting to sites containing the following strings: webroot agnitum ahnlab arcabit avast avg avira

defender drweb emsisoft esafe eset etrust ewido

Kaspersky malware mcafee microsoft networkassociates nod32 norman

spyware sunbelt Symantec Threatexpert Trendmicro virus wilderssecurity

avp bitdefender bit9 castlecops centralcommand clam av comodo computerassociates cpsecure

fortinet f-prot f-secure gdata grisoft hacksoft hauri ikarus jotti k7computing

Norton Panda Pctools Prevx quickheal rising rootkit securecomputing sophos spamhaus

windowsupd clearclouddns

Restart Mechanism Description Pinkslipbot executables accept the following parameters:

/i – Drops a DLL and a configuration file /s – if passed with the configuration file, runs Pinkslipbot in service mode /t – terminate /c – if passed with an executable name, it would run the executable. /v – opens and listens to a port number specified in the parameter.

As a restart mechanism, Pinkslipbot will attempt to modify an existing “Run” registry key to include its own .exe and DLL. The original executable pointed to by the “Run” key will be included in its “Run” Path and launched with a "/c" switch. As an example, it will modify an existing Run key such as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Original] = [Path to Original]

to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Original] = <random >.exe <random >.dll /c [Path to Original]

In newer variants, the Run key may be modified to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Original] = <random>.exe /s <Pinkslipbot config file> In newer variants, a Windows Task Scheduler job is created to launch the malware:

o %windir%\system32\schtasks.exe" /create /tn [TaskName] /tr [Path to Original] /sc HOURLY /mo 7 /F

It also adds an entry in the HKCU run registry key to automatically execute itself at startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [random name] = [Path to Malware]

It adds itself as a service for automatic execution:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<random name> Type dword:00000010 Start dword:00000002 ErrorControl dword:00000000 ImagePath <Malware Path and filename> /D DisplayName "Remote Procedure Call (RPC) Service"

Link files have also been placed in user directories as a restart mechanism. A ‘.lnk’ file pointing to the executable is placed in a separate user’s directory. This user is one other than the user who initially executed the malware, such as below: %UserDir%\[Another User]\Start Menu\Programs\Startup\ vjoufy.lnk

Pinkslipbot uses a second restart mechanism. It saves a JavaScript (JS) file in the Windows System32 folder. The name of this file is typically sconnect.js. Newer variants have random named JS files. A Windows Task Scheduler job is then created which launches this JS script. This job is scheduled to run hourly. The JS file is also crafted to connect to malicious sites to download an update to the Pinkslipbot components. The following is the task setup:

o %windir%\system32\schtasks.exe" /create /tn [TaskName] /tr "%windir%\system32\cscript.exe //E:javascript [JavaScript File]" /sc HOURLY /mo 4 /ru

In newer variants, JavaScript is kept at %LOCALAPPDATA%\Microsoft\<random>.wpl. This script checks for new versions of malware from the following URLs:

• hxxp://oe.zagorai3lan.com/viewtopic.php • hxxp://w.abcwd0.seed.fastsecureservers.com/viewtopic.php • hxxp://homemadebody.247affiliatemarketing.com/viewtopic.php • hxxp://autoparts.perksautocare.com/viewtopic.php • hxxp://a.new-date-world.com/viewtopic.php • hxxp://projects.montgomerytech.com/TeaLeafTarget.php • hxxp://n.abcwd0.seed.fastsecureservers.com/TeaLeafTarget.php • hxxp://css.kbaf.myzen.co.uk

The following is the new task setup:

o %windir%\system32\schtasks.exe" /create /tn [TaskName] /tr "%windir%\system32\cscript.exe //E:javascript [JavaScript File]" /sc HOURLY /mo 15 /F

Mitigation

o Create and test a VirusScan Access Protection Rule (APR) to prevent cscript.exe and wscript.exe processes from reading and executing files from the %UserProfile% folder, where feasible.

o Create and test a VirusScan Access Protection Rule (APR) for “updates_*new.cb”, “upd_*.cb” and “updates*_new.cb”. These are usually used as Pinkslipbot configuration files. Blocking these files can prevent the malware from updating.

o Create and test a VirusScan Access Protection Rule (APR) to prevent cscript.exe and wscript.exe processes from reading and executing files from the %LOCALAPPDATA%\Microsoft\ folder, for “*.wpl”. These are usually JavaScript files. Blocking these files can prevent the malware from downloading a new version.

NTFS Folder Permission Alteration Some variants of Pinkslipbot were observed to be modifying NTFS permissions for folders where security products are installed. This modification is possible only when Pinkslipbot is allowed to infect when the user is logged in with Administrator privileges. When successful, NTFS permissions for security-related folders are removed, such as access is prevented from administrators and system processes. Effectively, security products will not be allowed by the Windows operating system to run without the appropriate permissions. For example, the following McAfee folders are targeted:

o %AllUsersProfile%\Application Data\McAfee o %ProgramFiles%\McAfee

Because of this change, files running from these locations will have permissions denied by the Windows operating system. In some cases, there have been reports that Pinkslipbot has been disabling permissions from the %ProgramFiles% folder. In such cases, many common user applications would be impacted. Remediation

o A custom Stinger tool is provided by McAfee Labs upon request to restore modified NTFS permissions. You must run the Stinger tool with a user account with Administrator privileges. It will restore the original NTFS permissions to allow McAfee programs to be loaded.

o As an alternative, manual instructions to restore the folder’s permissions are as follows: 1. Open Windows Explorer as Administrator, and right-click the icon for the affected folder(s). 2. Click Properties to access the folder properties. 3. Under the Security tab, click Advanced, and then Owner. 4. Choose the Administrator as Owner (or some user with Administrator privilege). 5. Click OK when prompted to apply changes.

6. Return to the Security tab under Properties. 7. Click Advanced, and select Inherit from parent the permissions entries that apply to

child objects. 8. Click OK when prompted to apply changes. 9. Reboot the infected machine to restart all critical services.

Appendix A: Table of passwords used in brute-force 123 password Password letmein 1234 12345 123456 1234567 12345678 123456789 1234567890 qwerty love iloveyou princess pussy master monkey abc123 99999999 9999999 999999 99999 9999 999 99 9 88888888 8888888 888888 88888 8888 888 88 8 77777777 7777777 777777 77777 7777 777 77 7 66666666 6666666 666666 66666 6666 666 66 6 55555555 5555555 555555 55555 5555 555

55 5 44444444 4444444 444444 44444 4444 444 44 4 33333333 3333333 333333 33333 3333 333 33 3 22222222 2222222 222222 22222 2222 222 22 2 11111111 1111111 111111 11111 1111 111 11 1 00000000 0000000 00000 0000 000 00 0987654321 987654321 87654321 7654321 654321 54321 4321 321 21 12 super secret server computer owner backup database lotus oracle business manager temporary ihavenopass nothing nopassword nopass

Internet internet example sample love123 boss123 work123 home123 mypc123 temp123 test123 qwe123 pw123 root123 pass123 pass12 pass1 admin123 admin12 admin1 password123 password12 password1 default foobar foofoo temptemp temp testtest test rootroot root fuck zzzzz zzzz zzz xxxxx xxxx xxx qqqqq qqqq qqq aaaaa aaaa aaa sql file web foo job home work intranet controller killer games private market coffee cookie forever freedom student account academia files

windows monitor unknown anything letitbe domain access money campus explorer exchange customer cluster nobody codeword codename changeme desktop security secure public system shadow office supervisor superuser share adminadmin mypassword mypass pass Login login passwd zxcvbn zxcvb zxccxz zxcxz qazwsxedc qazwsx q1w2e3 qweasdzxc asdfgh asdzxc asddsa asdsa qweasd qweewq qwewq nimda administrator Admin admin a1b2c3 1q2w3e 1234qwer 1234abcd 123asd 123qwe 123abc 123321 12321 123123 James John Robert

Michael William David Richard Charles Joseph Thomas Christopher Daniel Paul Mark Donald George Kenneth Steven Edward Brian Ronald Anthony Kevin Mary Patricia Linda Barbara Elizabeth Jennifer Maria Susan Margaret Dorothy Lisa Nancy Karen Betty Helen Sandra Donna Carol james john robert michael william david richard charles joseph thomas christopher daniel paul mark donald george kenneth steven edward brian ronald anthony kevin mary patricia linda barbara elizabeth

jennifer maria susan margaret dorothy lisa nancy karen betty helen sandra donna carol baseball dragon football mustang superman 696969 batman trustno1

Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities.

You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx

© 2016 McAfee, Inc. All rights reserved.