McAfee Launches Free Tool That Removes Pinkslipbot Leftovers That Use Your PC as Proxy

typical Pinkslipbot control server

McAfee launched AmlPinkC2 free tool which is window command line application. It deletes remnant files of Pinkslipbot infections that permission the malware to continue to use the previously infected computers as proxy relays, even if the original malware’s binary has been hose downed and removed from infected hosts.

System Requirement:

To use this tool, you must have:

  • A computer running Windows XP or higher
  • An active network connection

What is the Pinkslipbot?

what is the pinkslipbot

Pinkslipbot is a banking trojan that became visible in 2007 and is also tracked under three other names, such as Qakbot, Qbot, and PinkSlip.

This banking trojan isn’t always active, and it keeps coming back in waves, as part of very well-planed campaigns. In the past years, numerous cyber-security companies have tracked its attacks and broken down its different versions [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].

The most recent campaign was spotted by IBM security researchers, who noticed Pinkslipbot versions that caused Active Directory lockouts on infected computers.

McAfee finds new wrinkle in Pinkslipbot infections

One of the companies that have historically tracked Pinkslipbot campaigns is McAfee. Its researchers presented an analysis of the trojan’s C&C server infrastructure and its method C&C communications at last year’s Virus Bulletin security conference.

Last week, while looking over past and present Pinkslipbot campaigns, researchers found a new wrinkle in the trojan’s mode of operation.

Researchers say Pinkslipbot authors are much clever than they initially thought. According to McAfee, besides stealing the user’s data, the banking trojan also uses infected hosts as proxy servers to relay information from the central C&C server to other infected hosts, in a mesh-like network.

New McAfee tool removes last remnants of Pinkslipbot infections

According to McAfee, most security tools remove only the malware’s main binaries, crippling the trojan’s ability to collect passwords from infected hosts.

These Pinkslipbot removal procedures leave intact the code that creates these proxy servers, which run via the Windows UPnP (Universal Plug and Play) service.

McAfee’s new tool will remove these remaining files and prevent Pinkslipbot from using users’ PCs to relay C&C commands or to hide the exfiltration of stolen data through a mesh of proxies.

The AmIPinkC2 tool is available for download here. McAfee has published usage instructions here [PDF].


Leave a Reply

Your email address will not be published. Required fields are marked *

1 × two =