New malware uses old trick – and is a reminder to disable UPnP

If there’s one thing that really annoys malware creators it’s the thought that their precious command & control (C&C or C2) infrastructure might be detected and disrupted by security researchers.

Without C&C, most modern malware becomes about as directed as a headless chicken. But what if this infrastructure could be hidden from view?

Anonymity networks such as Tor can do this, but not without drawbacks, including that it’s not the fastest and the dark web servers hiding inside it are still prone to disappearing in a puff.

It’s also possible to use an encrypted channel, malicious social media accounts and P2P networks, but these approaches merely hide the commands and not necessarily the relationship between bots and servers.

This brings us to the multi-purpose Pinkslipbot malware (more familiarly, QakBot or QBot) which has come up with an audacious if complicated third cloaking strategy for hiding C&C.

At one end of Pinkslipbot’s world sits a conventional C&C server, while at the other end is a computer that has been infected by it. In between this sit two layers of HTTPS proxies made up of around 500,000 infected PCs corralled to hide the connection.

Anyone trying to find the IP address of the C&C server controlling the malware will instead see the proxy system shielding it.

As impressed researchers note:

Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers.

They offer a detailed explanation of the innovative way this HTTPS proxying of control servers is executed – but we couldn’t help noticing with dismay the role of universal plug and play (UPnP).

This is a set of protocols invented a decade ago to make it easier for home networking devices to talk to one another through a domestic router or gateway without the user having to get their hands dirty.

The problem is that UPnP does this by helpfully opening ports through the gateway’s firewall, the perils of which Naked Security has written about before. It’s like a short cut through the firewall – in both directions.

After checking for a fast, US-based connection from an initial infection, Pinkslipbot tries to set up one or more of these short cuts on 27 different internal and external ports, letting the control server know when it succeeds.

For the victim, things get bad quickly:

We have observed multiple Pinkslipbot control server proxies hosted on separate computers on the same home network as well as what appears to be a public Wi-Fi hotspot.

Hijacking UPnP in this way is rare – the only other example is the 2008 Conficker worm, long before UPnP was as ubiquitous as it’s since become. The UPnP trick here is only a means to the end, but an important one.

Pinkslipbot acts as a proof-of-concept in how to abuse something as simple as UPnP to do something sophisticated. It will be copied soon enough.

The researchers suggest “users keep tabs on their local port-forwarding rules”, but frankly we’d recommend the simpler AC Milan defence: visit the gateway router’s WAN settings and disable UPnP completely.