Battling the Pink Slip Virus Yet Again


Battling the Pink Slip Virus Yet Again


Battling the Pink Slip Virus Yet Again

Chris Williams, Enterprise Security Architect

Back in 2011, a virus made the rounds and headlines.  Called the “pink slip” virus, it was so named because it circulated at a number of organizations either immediately after or immediately before rounds of IT layoffs.  Many individuals speculated that disgruntled IT engineers had crafted the virus as a “parting gift” to their former employers.  While it is never possible to be certain of these sorts of things, security experts who studied the original virus back in 2011 concluded that it was sophisticated enough to be the work of a malicious cybercrime professional, rather than the weekend work of a frustrated IT professional.  But then, you can never be sure.

Why are we bringing this up now?

Well, the pink slip virus is back.  It is a new variant, but the concept is the same, and it is making the rounds of the Internet as we speak.  Leidos and other cybersecurity professionals have been fighting an outbreak of this virus since January, 2016.  This outbreak is still in its early stages, and may propagate much further before it is contained and the threat goes “silent” yet again.

What is the “pink slip” virus?

If you are inclined to do web searches, the virus making the rounds today is a derivative of the original virus that is more commonly known as “Qakbot.”  According to Anubis networks:

“Qakbot is a Trojan with worm-like capabilities targeting 32-bit Windows PCs.  Its primary purpose is to steal online banking account information.”

The “pink slip” virus exploits a number of vulnerabilities in Microsoft, Apple, and Adobe products to compromise machines that it contacts, and once it gets inside of an enterprise, it uses network shares and removable drives to come into contact with additional machines to infect.  Technically, it is a “Trojan” that also has “worm” capabilities –which means that, once introduced into your network, it can rapidly spread without any further human intervention.  For the sake of this article, we are simply going to call it a “virus.”

Once the virus infects compromised machines, it monitors user activity to steal e-mail addresses, accounts, certificates, web addresses, and login credentials, and sends them to command-and-control servers on the Internet.  From there, it is reasonable to expect that the people deploying this malware will then use that information to perform identity theft and to compromise credit cards and banking information.  In addition, some versions of this virus use “rootkit” behavior to modify the victim’s operating system so that their activity cannot be easily seen using tools such as Task Manager or the Registry Editor.  Finally, some variants are anti-virus aware, and will attempt to modify or disable the anti-virus on the computer so that it cannot be cleaned using those tools.

What is the threat to my enterprise?

The threat that this virus poses, like so many before it, is twofold:

  1. It uses up resources on the enterprise network replicating itself and corrupting computers
  2. It consumes personnel resources to attempt to eradicate it
  3. It steals credentials and information that can then be used for criminal activity

For affected enterprises, this impact can be a nuisance, or it can turn into a disaster, depending on the level of detection and response that occurs after the initial infection.  It is not uncommon for a small organization to be overwhelmed by an infection like this, and see every single computer in the enterprise get compromised, along with every single account.  Remember that the affected accounts are not just internal accounts or logons to web sites.  They can be banking credentials, Twitter handles, healthcare and human resources sites containing regulated healthcare data, and more.

Compromise of corporate accounts can have disastrous consequences:  payroll accounts can be emptied, corporate credit cards can be stolen, and personally identifiable information breached.  This can result in damages, fines, or other consequences worth millions of dollars.

Can’t I just install a patch, or buy a product?

Pinkslip / Qakbot is an excellent example of “modern” malware.  There are many variants with many different signatures exploiting many different vulnerabilities, and developers are constantly cranking out new versions that exploit new vulnerabilities and have new patterns for recognition.  This makes it very hard for defenders to keep up with it.  Certainly, some security products may have some successes countering this particular attack, but do you want to bet millions of dollars (or a currency of your choice) on the hope that a single product in the enterprise is going to protect you?  A new variant specifically designed to defeat your protection may be just around the corner, and you might not know about it until it is too late.

With this in mind, enterprises need a defense-in-depth strategy to counter attacks like these.  That strategy needs to focus on the “Four D’s” of cybersecurity:

  • Disrupt the attack, so that some attacks are stopped before they begin
  • Detect the attack, so that defenders can identify an attack is occurring
  • Delay the attack, so that defenders have time to respond before the attack completes
  • Defeat the attack through a determined and organized response

Installing patches and buying products is an integral part of this process, but it is not the most important part.  The most important part is having the ability to detect and respond to virus outbreaks when they occur.  When was the last time your enterprise remediated a computer that had become infected?  If the answer is “never”, you may already be a victim.  People are going to make mistakes, products are going to fail, and defenses are going to be breached.  The question is what happens after that initial failure occurs.

What happens when an attack is detected?

The Leidos Managed Security Service (MSS) Security Operations Center (SOC) monitors malware like PinkSlip / Qakbot to help our customers counter them.

This attack, like so many before it, goes in waves.  The underlying virus technology goes back to 2008, where it had a very successful outbreak, and then 2011, when it broke out again.  Now, in 2015/2016, we are seeing it emerge and spread across the Internet yet again.  No doubt it will happen again in the future, with new versions that utilize new techniques and exploit new vulnerabilities.

When attacks like this occur, there are several actions that a security operations center needs to take:

  1. Understand the source of the malware and its criminal objectives
  2. Understand the vulnerabilities exploited by the malware to get into the enterprise
  3. Understand the methods the malware uses to propagate in the enterprise
  4. Understand the methods the malware uses to communicate with its controllers
  5. Understand the information the malware steals or the damage it does
  6. Figure out ways to identify malware infections when they occur
  7. Figure out ways to contain and eradicate malware infections when they occur
  8. Incorporate all of the above into the enterprise’s ongoing cybersecurity posture
  9. Communicate all of the above information to business leadership

The Leidos Managed Security Service does these actions for our commercial customers, just as Leidos’ national security programs perform many similar actions for our federal customers.  It is a never-ending arms race between cyberdefenders who must always counter the latest attacks, and cyberattackers who are looking to defeat the latest defense.  It is a race we must run – our customers’ businesses are at stake.