In response to news of the QakBot trojan, which uses new exploit methods to continue to use infected machines as control servers, even after its capability to steal personal and financial data from the infected machine has been removed by a security product, IT security experts commented below.
Don Duncan, Engineer at NuData Security:
“Pinkslipbot is the latest variant of QakBot, which has been causing havoc in the wild for more than 10 years, and is the latest reminder that best practices are a major component of a user’s best defense. Pinkslipbot is extremely persistent, and essentially anyone with fast internet and open ports on an Internet gateway device using UPnP is vulnerable to it. Pinkslipbot detects available ports, infects machines behind the firewall, and relays information to C&C servers. In the short term, it’s important that “local port-forwarding rules” be monitored, and UPnP should be turned off if the user doesn’t need it.
“Ultimately, the solution is to prevent the use of stolen data by overlaying new barriers in the form of behavioral biometric authentication. These new solutions authenticate users based on their online behaviors – methods that are extremely resistant to impersonation, don’t rely on credentials and can even provide banks with options to upgrade user experiences for good customers. These technologies are going to defeat Trojans and malware by making the credentials and payment card details obsolete. Fraudsters are in the business of making money, so the real answer is to the data useless.
New solutions authenticate users based on their online behaviors; methods that are extremely resistant to impersonation, don’t rely on credential data, and can even provide banks with options to upgrade user experiences for trusted good customers. These technologies are going to defeat Trojans and malware by making the credentials and payment card details that the fraudsters go after obsolete.”
Gabriel Gumbs, VP of Product Strategy at STEALTHbits Technologies:
“We recently saw WannaCry be rather troublesome for organizations, but not nearly as much for home users; QakBot/Pinkslipbot on the other hand is likely to be more of an issue for home users, and the reason has everything to do with the way these pieces of malware spread.
“Wannacry relied on SMB, a port that is disabled by default on most home routers, while being enabled inside of a business to allow file sharing. QakBot/Pinkslipbot relies on uPnP as part of its larger infection strategy, a port that can be opened in almost every home to allow IoT and other home devices to work seamlessly. Organizations still need be very diligent as this malware does three things that can disrupt every business. It locks out hundreds to thousands of Active Directory accounts in quick succession, attempts to logon to many accounts that do not exist, such as “”administrador” and deploys malicious executables to network shares and registering them as a service, all in an attempt to create further havoc within Active Directory environments. Companies will want to actively monitor for these types of events as they can easily go unnoticed until the damage is done.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.