Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

New banking malware variant has been discovered today

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

June 19, 2017

This morning, a new banking malware Trojan has been spotted on the Web and it's using UPnP to enable home routers to expose unsuspecting users, recruited as part of the botnet.

To be sure, McAfee Labs asserts that the new campaign uses a variation of the ancient “PinkSlipBot”, and McAfee warns that it uses Universal Plug'n'Play (UPnP) to open ports through home routers, allowing incoming connections from anyone on the Internet to communicate with the infected machine.

As with any credential-harvesting botnet, the malware needs to get its data back to the botmasters without exposing them, and this is where the UPnP exploit comes in.

In the current Pinkslipbot campaign, UPnP merely provides the path to the targets-- infect machines that provide HTTPS servers from IP addresses listed in the malware. McAfee warns that it's the first time the company has seen HTTPS-based C&C servers.

Those servers act as a first of two layers of proxies deployed to protect the various IPs of the C&C machines.

The UPnP malware behind the campaign are nothing if not thorough. Pre-infection, they check the target's connection using a Comcast Internet speed tester (only U.S. IP addresses are accepted).

If the target addresses pass the speed test, the malware then taps on various UPnP ports to check the overall available services.

On vulnerable systems, it checks 27 ports to see if it can map them to the outside world.

With one or more ports available, the attackers then infect a machine behind the firewall, create a permanent port mapping for its traffic, and run it up as a C&C proxy.

The zombie C&Cs use the libcurl library to pass information to the second-layer proxies which handle communications with the real C&C (command and control) servers.

McAfee does suggest that home users should keep tabs on their local port-forwarding rules, and should turn UPnP off if they don't need it.

While it could be true that this is only the second time the bad guys have taken advantage of UPnP (the first was by Conficker several years ago), enough security bugs have been disclosed in the protocol to make it a security issue of relative importance.

Source: McAfee Internet Security.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer