Malware-infected computers rented as proxy servers on the black market
Researchers have identified a Trojan program that turns infected computers into SOCKS proxy servers to which access is then sold
IDG News Service - Cybercriminals are using computers infected with a particular piece of malware to power a commercial proxy service that funnels potentially malicious traffic through them, according to security researchers from Symantec.
Three months ago, Symantec researchers started an investigation into a piece of malware called Backdoor.Proxybox that has been known since 2010, but has shown increasing activity recently.
"Our investigation has revealed an entire black hat operation, giving us interesting information on the operation and size of this botnet, and leading us to information that may identify the actual malware author," Symantec researcher Joseph Bingham said Monday in a blog post.
The malware is a Trojan program with rootkit functionality that transforms the computer into a proxy server. The rootkit component uses a novel technique to prevent access to the malware's other files and increase the malware's persistence on the system, Bingham said.
However, the most interesting aspect of this attack is how the infected computers are used by the attackers.
Botnets are one of the main tools used by cybercriminals because they are versatile. They can be used to send email spam, launch distributed denial-of-service attacks, solve CAPTCHA challenges on websites, perform online banking fraud or click fraud and many other activities.
In this particular case, the botnet's operators are using it to power a commercial proxy service called Proxybox.name.
Because they can hide a user's real IP (Internet Protocol) address, proxy servers are commonly used to evade online censorship attempts, bypass region-based content access restrictions or, in many cases, engage in various illegal actions.
Fully anonymous and transparent SOCKS proxy servers -- proxy servers that can route traffic for any application, not just browser connections -- are hard to come by and this is exactly what the Proxybox service offers.
According to the Proxybox website, for $25 a month, customers can get access to 150 proxy servers from the countries they desire, while for $40 they can get access to an unlimited number of proxies. The service operators promise not to keep any access logs, which makes these servers perfect for criminal use because there will be no logs for authorities to request and review.
"We expect over 2,000 bots online all the time," the Proxybox operators say on their website. However, after monitoring the botnet's command and control servers, the Symantec researchers believe that there are around 40,000 active proxies at any given time.
The Proxybox malware is distributed in a variety of ways, including through drive-by download attacks launched from compromised websites that host commercial exploit toolkits like Blackhole, Bingham said.
Advertisements for the Proxybox service seen on underground forums were linked to ads for other black market websites that offer VPN (virtual private network), private antivirus scanning or proxy testing services and offer the same ICQ contact number and payment methods: WebMoney, Liberty Reserve and RoboKassa.
"We started to look into the payment accounts associated with these websites, and found out that they were tied to an individual with a Ukrainian name living in Russia," Bingham said. "The additional details associated with this WebMoney account are undisclosed as we work with law enforcement in countries associated with the command-and-control servers."
The risks for users whose computers are infected with Backdoor.Proxybox are significant. Because of the unauthorized proxy servers running on their systems, their IP addresses might be involved in a lot of illegal activities without their knowledge.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts