A "notorious" banking Trojan known as QakBot or Pinkslip has evolved to adopt a new kind of attack vector, which makes it dangerous to users even after the malware has been removed from infected PCs. Security experts uncovered that an updated version of the malware is the first ever of its kind to use HTTPS-based proxies to convert infected PCs into control servers.
The Trojan can continue to use infected devices as its control servers even after its data-stealing abilities have been removed by security products. QakBot's latest version can not only steal data, but also download other malware onto infected devices via a backdoor. According to security researchers at McAfee, QakBot controls a massive botnet of 500,000 infected PCs that "steals over a half-million records every day". The malware has been active since 2007 and has been updated several times by the hackers operating it.
Malware steals users card and personal data
"Pinkslipbot is a notorious banking-credential harvester that has been active since 2007. It primarily targets users and enterprises located within the United States and includes components for password stealers, keyloggers, and man-in-the-browser attacks that are used as vectors to steal various kinds of information—including credit cards, social security numbers, online account credentials, email passwords, digital certificates, etc," the McAfee researchers said.
"If your system has been infected with W32/PinkSlipbot (Qakbot/QBot), your machine may still be serving as a control server proxy for the malware. Even if all malicious components have been removed by your security product, your computer may be vulnerable to attacks if it is accessible over the Internet," the researchers added.
The malware uses universal plug and play (UPnP) network protocols to stealthily link its server to infected devices, that then serve as QakBot's HTTPS-based proxies to the malware's actual control servers. The researchers said that this allows the malware's activities to go undetected by effectively masking the real IP addresses of the QakBot malware's servers.
The researchers still remain uncertain about the exact process of how an infected machine is determined if it can be converted to a control server proxy. However, they suggested that the malware likely requires three main factors for this to happen – a US-based IP address, high-speed internet connectivity and the capability to open ports on an internet gateway device using UPnP.
How to stay safe?
QakBot malware's port-forwarding rules (which allow infected machines to be used as control servers) are "too generic to remove automatically without risking accidental network misconfigurations".
However, McAfee has released a free utility tool to address this vulnerability, which will scan PCs for Pinkslipbot control server proxy infections and remove malicious port mappings.
"By default, the tool operates in detect mode, in which no changes are made to your system or router configuration if malicious elements are found. If the tool finds malicious port-forwarding rules and malicious services, you may pass the "/del" command line argument to the tool to disable the malicious service and remove the port-forwarding rule," the researchers said.
You can download McAfee's QakBot malware control server proxy detection and port-forwarding removal tool here.