Universal Plug 'n' Pwn! Pinkslipbot malware exploits UPnP to help it steal credentials

First malware to use infected devices as HTTPS-based control servers.

Pinkslipbot first malware to use infected machines as HTTPS-based control servers

A variant of Pinkslipbot is the first known malware to conduct attack campaigns using infected devices as HTTPS-based control servers.

The Pinkslipbot malware has been around since 2007. It comes equipped with keyloggers and other credential stealers to make off with U.S. users' financial information. In fact, it steals over half a million user records each day.

To perpetrate this scale of data theft, Pinkslipbot, otherwise known as the Active Directory lockout-producing QakBot trojan, relies on a botnet of 500,000 infected machines. Each newly infected bot indirectly receives instructions from the malware's real command-and-control (C&C). Two layers of defenses - infected machines serving as HTTPS proxies and additional HTTPS proxies
- funnel these commands down to bots, likely in an effort to conceal the real C&C servers' IP addresses.

20170613 pinkslipbot 1

Layout of a typical Pinkslipbot control server. (Source: McAfee)

"As UPnP assumes local applications and devices are trustworthy, it offers no security protections and is prone to abuse by any infected machine on the network. We have observed multiple Pinkslipbot control server proxies hosted on separate computers on the same home network as well as what appears to be a public Wi-Fi hotspot," explain researchers from McAfee.

Of course, not every infected machine receives the status of a control server proxy. It must meet multiple criteria.

First, it must have an IP address located in North America. Second, Pinkslipbot must verify the machine comes equipped with a high-speed web connection using Comcast's Speed Test. Third, it must be capable of opening ports on Internet gateway devices using Universal Plug and Play (UPnP), a feature which factors into users' Wi-Fi network security decisions.

Assuming an infected computer passes all these tests, Pinkslipbot looks for UPnP devices for the purpose of finding Internet gateway devices (IGD). The malware then creates port-forwarding rules on these devices before attempting to port-forward on 27 internal and external ports. If any transmission succeeds, it saves the port number and sends it back to the control server.

McAfee's Sanchit Karve explains the ultimate intent of this activity:

"Based on this data, the malware author decides whether the infected machine can be used as a control server. Once an infected machine is selected, the 'wgetexe' control server command (more accurately, command 25 using control server protocol Version 14) is issued to the infected machine to download a Trojan binary as 'tmp_{timestamp}.exe.' This sample is responsible for the control server proxy communication..."

20170613 pinkslipbot 3

Disassembled code showing port mapping functionality. (Source: McAfee)

Pinkslipbot is unique in its usage of UPnP for port-forwarding. The only other malware known to use this technique is the dreaded Conficker worm.

But that's not even the most unique part about this malware. If deemed viable, an infected machine receives a control server request from the real C&Cs. It then uses libcurl, a URL transfer library, to route all traffic to those servers using an additional proxy. These proxy control servers are based on HTTPS and generate new self-signed certificates for every connection. In turn, responses received from the real C&Cs are verified using a hardcoded RSA public key.

20170613 pinkslipbot 6

Server certificate generation code from Pinkslipbot. (Source: McAfee)

As of this writing, Pinkslipbot is the only known malware to use infected machines as HTTPS-based control servers.

UPnP allows devices on a network to connect with one another under the assumption they are to be trusted. As such, malware authors can abuse this functionality to dynamically infect machines on that network.

Users can best protect against threats like Pinkslipbot by disabling UPnP altogether.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , ,

One Response

  1. Pete

    June 20, 2017 at 3:51 pm #

    UPnP permits networked devices (typically in a home network) to automatically discover (detect) each other for "zero-configuration" operability…meaning, they don't have to authenticate, and you don't have to set up port forwarding. That ease of use comes at a price — namely the risk that a malware-infected device will commandeer your modem/router settings, and there goes the ball game.

    UPnP functionality is built into Windows (since XP). There's no native support for UPnP in OS X (or macOS), although there are UPnP server and client apps for Mac. But unless you've added devices and software to use UPnP, Mac users typically aren't vulnerable to this particular threat. Nevertheless, it's probably not a bad idea to disable UPnP anyway.

    For those who want to disable UPnP, you can do it in your modem/router settings. For example, in the Technicolor Model TC8715D currently used by TimeWarner Cable, open the admin tools on your browser (http://192.168.0.1/), go to Advanced > Device Discovery, and change the "Enable UPnP" setting from "Enabled" (the default setting) to "Disabled". (Be sure to Save the change.) For other modem/routers, consult your device's user manual.

Leave a Reply