Pinkslipbot Control Server Proxy Detection and Port-Forwarding Removal Tool

Also known as Qakbot, Akbot or Qbot, the W32/Pinkslipbot worm uses different propagation vectors. It mainly spreads through infected Internet files that are downloaded locally or network shares. Once it reaches a computer, it can communicate to its command and control center in the attempt to download a backdoor that steals private information about the computer user.

Even if one manages to remove the malware from their computer, it has been discovered that Pinkslipbot uses infected machines as control proxy servers.

Home computers in North America that are behind an address translation router are particularly vulnerable, as the worm takes advantage of the UPnP (Universal Plug and Play) technology to open ports and authorize incoming connections without the user's consent. The proxy components can be downloaded, which results in the creation of new port-forwarding rules. Such changes are difficult to trace and even more difficult to revert by security software, as the risk of network misconfigurations is high. In other words, although users might have managed to remove W32/Pinkslipbot from their systems, the computer might still be prone to outside attacks.

To avoid vulnerabilities that result as a consequence of the PC being infected by Pinkslipbot, McAfee created a specialized software utility that can identify malicious services and eliminate port mappings that might have been created to turn the machine into an HTTP-based control proxy server. Its name is quite long, but it reveals its role entirely. It is called the Pinkslipbot Control Server Proxy Detection and Port-Forwarding Removal Tool.

Running in the console only, this application starts in detection mode by default, making no changes to the PC or the network configuration. It can identify the Pinkslipbot C2 proxy service and UPnP devices that might become attack points.

The application shows the user if any malicious service is running on their system and displays a list of all the UPnP devices and gateway services, along with the port forwarding rules on the local machine. To get disabling features one has to pass "/del" as an argument.

McAfee's utility is specifically designed to address the Pinkslipbot malware, using specific indicators to determine if the system is compromised. It identifies the Pinkslipbot control server proxy service if available and disables it upon request. Keep in mind that the service is not completely removed.