New banking malware variant has been discovered today
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
June 19, 2017
This morning, a new banking malware Trojan has been spotted on the Web and it's using UPnP to enable home routers to expose unsuspecting users, recruited as part of the botnet.
To be sure, McAfee Labs asserts that the new campaign uses a variation of the ancient “PinkSlipBot”, and McAfee warns that it uses Universal Plug'n'Play (UPnP) to open ports through home routers, allowing incoming connections from anyone on the Internet to communicate with the infected machine.
As with any credential-harvesting botnet, the malware needs to get its data back to the botmasters without exposing them, and this is where the UPnP exploit comes in.
In the current Pinkslipbot campaign, UPnP merely provides the path to the targets-- infect machines that provide HTTPS servers from IP addresses listed in the malware. McAfee warns that it's the first time the company has seen HTTPS-based C&C servers.
Those servers act as a first of two layers of proxies deployed to protect the various IPs of the C&C machines.
The UPnP malware behind the campaign are nothing if not thorough. Pre-infection, they check the target's connection using a Comcast Internet speed tester (only U.S. IP addresses are accepted).
If the target addresses pass the speed test, the malware then taps on various UPnP ports to check the overall available services.
On vulnerable systems, it checks 27 ports to see if it can map them to the outside world.
With one or more ports available, the attackers then infect a machine behind the firewall, create a permanent port mapping for its traffic, and run it up as a C&C proxy.
The zombie C&Cs use the libcurl library to pass information to the second-layer proxies which handle communications with the real C&C (command and control) servers.
McAfee does suggest that home users should keep tabs on their local port-forwarding rules, and should turn UPnP off if they don't need it.
While it could be true that this is only the second time the bad guys have taken advantage of UPnP (the first was by Conficker several years ago), enough security bugs have been disclosed in the protocol to make it a security issue of relative importance.
Source: McAfee Internet Security.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.