From infected machine to control server proxy The exact procedure of determining whether an infected machine is eligible to be a control server proxy is unknown.However, we believe this decision depends on an infected machine’s satisfying a combination of three factors.
This information continues to hold true with this new discovery.
All control server-related information described as follows has been observed on other server components used by Pinkslipbot.
Mc Afee Labs has discovered that banking malware Pinkslipbot (also known as Qak Bot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product.
These include home users whose computers are usually behind a network address translation router.
The downloaded Trojan is a dropper for the proxy component.
It creates the following files either in %APPDATA% or %ALLUSERSPROFILE%, depending on the operating system.
To do so, Pinkslipbot uses universal plug and play (UPn P) to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine.
As far as we know, Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers and the second executable-based malware to use UPn P for port forwarding after the infamous W32/Conficker worm in 2008.
This is done by looking for the service type urn:schemas-upnp-org:service: WANCommon Interface Config: in the device description.
The IGD is then checked for connectivity (for example, by calling the Get Status Info function on the device and confirming the returned response is “Connected”) and the external IP address is retrieved using the Get External IPAddress() function on the device.