A form of banking Trojan malware has evolved a new attack technique and is using infected machines as control servers - even after its ability to steal data has been removed by security products.
Qakbot is a worm which can spread through the networks and is capable of stealing credentials, opening a backdoor on the infected computer and downloading additional malware - all while using a rootkit functionality to stealthily remain hidden.
The Trojan was first discovered in the late 2000s, but over a decade on its still regularly causing new problems and now it has found a new way of carrying out malicious activity, even if the malware is removed from an infected network.
Researchers at McAfee Labs discovered a new form of the banking Trojan - also known as Pinkslipbot - which uses infected machines as HTTPS-based proxies for the actual control servers.
Pinkslipbot harvests banking credentials using password stealers, keyloggers, man-in-browser attacks and more to steal information, mainly from US financial institutions. In total, the malware controls a botnet of over 500,000 machines and researchers say it steals half a million records every day.
Now researchers have discovered that a number of IP addresses associated with the malware consist solely of infected machines that serve as HTTPS-based proxies to the actual control servers in an effort to hide them. It does this by using universal plug and play (UPnP) to open ports, allowing incoming connections from anyone on the internet.
"As UPnP assumes local applications and devices are trustworthy, it offers no security protections and is prone to abuse by any infected machine on the network. We have observed multiple Pinkslipbot control server proxies hosted on separate computers on the same home network as well as what appears to be a public Wi-Fi hotspot," the researchers said.
"As far as we know, Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers and the second executable-based malware to use UPnP for port forwarding after the infamous Conficker worm in 2008," said anti-malware researcher Sanchit Karve.
Researchers are still determining the exact procedure used to determine if an infected machine can become a proxy, but three factors are thought to play a role; an IP address located in North America, a high-speed internet connection and the capability to open ports on an internet gateway device using UPnP.
Once a suitable machine is selected, the malware author issues a control server command to the infected machine to download a Trojan binary which creates the proxy component. When launched, it creates port-forwarding rules allowing the infected machine to be used as a control server over HTTPs and can perform requests for new Pinkslipbot infections.
"The port-forwarding rules created by Pinkslipbot are too generic to remove automatically without risking accidental network misconfigurations. And as most malware do not interfere with port-forwarding, antimalware solutions may not revert such changes. Unfortunately, this means that your computer may still be vulnerable to outside attacks even if your antimalware product has successfully removed all Pinkslipbot binaries from your system," warned the researchers.
Ultimately, it means that even if the victim has removed Pinkslipbot/Qakbot from their system, the machine may be serving as a proxy control server for the malware - and making it vulnerable to other forms of online attack due to the open ports.
"Many Internet of Things devices work over UPnP and are steadily being installed and used by more people every day. As they become more ubiquitous, cybercriminals will see opportunities to use UPnP maliciously. We recommend that users keep tabs on their local port-forwarding rules and disable UPnP on their home routers unless they need it," said Karve.