Defending against network snooping proxy servers

Firesheep brought to light the issue of network snooping, that is, having another person on a shared network virtually watching over your shoulder. It lowered the bar for identity theft (in a very limited capacity) to the point that all Mac OS X Firefox users could do it (Firesheep does not work for many, if not most, Windows users).

While articles on Firesheep focused on open, unencrypted, not-password-protected wireless networks, the fact is, you can be snooped on in many other ways on other types of networks. For example, a proxy server lets a bad guy watch your network traffic on every network, wired or wireless.  

I've recently run across two virus-infected Windows computers. In each case, removing the malware had the undesirable side effect of no more web browsing.

Internet Explorer just failed to load websites with the usual, useless error messages. Fortunately, each computer also had Firefox installed and Firefox's error messages pointed to a proxy server issue.

The malware had set itself up as a proxy server on the infected computers and without it, the web browsers could no longer display web pages.

A proxy server is a middleman, it sits between your computer and the websites you visit. I'm no expert on the subject, but it's safe to say that there are good and bad proxy servers. They can speed up web browsing with caching (good), or they can enforce rules on restricted websites (good and bad) or log activity (also good and bad).   

The malware in question was probably listening in on all the web traffic on the infected computers. It's a perfect way to snoop on passwords for valuable websites, such as online banking.

Proxy servers have been recommnended for years as a defensive strategy. The downside has been setting them up, it can get a bit techie. 

Anyone with access to an SSH server can make a secure encrypted connection to the SSH server machine and then set their web browser to use the SSH server as a proxy.

When used from a public Wi-Fi network, this forces web pages, cookies and requests for web pages to travel back and forth over the encrypted link to the SSH server before being dumped on the Internet over a wired connection. Snoops on the public wireless network only see encrypted web traffic.

Defensive Computing Protection      

Not to focus on Firesheep, there are a number of Defensive Computing steps to take regarding malware modifying your proxy server settings.

The first step is obviously to install Firefox. In both cases that I dealt with, it was Firefox that first put us on to the fact that a proxy server was the reason that websites would not load.

As a general rule, the Defensive Computing approach is have more than one web browser installed. Whenever you have a web related problem, your knee-jerk reaction should be to try the same thing in another browser. Firefox and Chrome are both excellent, free and cross-platform.

While the use of antivirus/antimalware software goes without saying, what may not be obvious is that limiting yourself to one product is sheer folly.

No single antivirus program is perfect, not even close.

Any time I deal with an infected Windows machine, I scan it with a multitude of antimalware software. It never fails that the second, third and fourth scans find something malicious (ignoring cookies) that the prior scans missed.

If you don't use NOD32, try the free online virus scan offered by the vendor, ESET.

Another excellent choice is the free, portable version of SUPERAntiSpyware. This is not an online scanner, the software needs to be downloaded.

Unlike many programs, the free version of SUPERAntiSpyware is not stripped down or limited, it offers all the detection and removal of the paid version of the software. 

The download is a single file and comes with all the latest virus definitions built-in, you do not need to update it before scanning.

The only gotcha with the portable edition of SUPERAntiSpyware is that "definition" updates don't stick. That is, if you do update the "definitions" and then copy the downloaded file to another machine, the updates are not copied.

SUPERAntiSpyware recently found malware for me on a machine with an up-to-date copy of Norton Internet Security. Again, this is the rule not the exception.

Ed Bott recently wrote about a virus that Microsoft Security Essentials detected but that both McAfee and Sunbelt missed. Ho hum. Then he updated the story to include another virus, one that was also detected by Security Essentials but missed by Symantec, Avast, and Trend Micro. Boring.

Although Bott's article is called Microsoft vs. McAfee: How free antivirus outperformed paid.  The title is totally bogus. It's not a story of Microsoft vs. McAfee. Neither is it a tale of free vs. paid antivirus software. Rather, it illustrates how fallible any single antivirus program is.

At virustotal.com, Bott's first virus was detected by 17 of the 43 antivirus products. His second was detected by 15. This has been my experience too.

Finally, I suggest periodically verifying that your web browsers are not using proxy server*.    

In Firefox 3.6.12 on Windows, do Tools -> Options -> Advanced tab -> Network tab -> Settings button.

For Internet Explorer 8, do Tools -> Internet Options -> Connections tab -> LAN Settings button.

Chrome 7 on Windows defaults to using the same proxy settings as Internet Explorer. You can see this for yourself with Wrench -> Options -> Under the Hood tab -> Change proxy settings button. Clicking the button opens the IE Connections tab.

However, according to this article, Chrome proxies can be controlled with command line arguments, so it is necessary to check the shortcut used to invoke Chrome to insure it is not forcing the use of a potentially malicious proxy server.

Update: November 23, 2010:  What do you do if you find an IP address listed as a proxy server? How can you tell if the proxy is legit? Try entering it at the ip2location.com product demo. It's a great website for investigating an IP address. 

*If you work for a large organization the proxy servers may have been configured on purpose. Check with the techie powers that be.

NOTE: There is another possible motive for malicous proxies. The F-Secure description of Trojan-Proxy:W32/Grum.A says that "This type of trojan allows unauthorized parties to use the infected computer as a proxy server to access the Internet anonymously."

Simply put, this means that bad guys can do bad things on the Internet through your computer and appear, to the outside world, to be you. Not good.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies