Cyber criminals are using computers infected with a particular piece of malware to power a commercial proxy service that funnels potentially malicious traffic through them, according to security researchers from Symantec.
Three months ago, Symantec researchers started an investigation into a piece of malware called Backdoor.Proxybox that has been known since 2010, but has shown increasing activity recently.
“Our investigation has revealed an entire black hat operation, giving us interesting information on the operation and size of this botnet, and leading us to information that may identify the actual malware author,” said Symantec researcher Joseph Bingham.
The malware is a Trojan programme with rootkit functionality that transforms the computer into a proxy server. The rootkit component uses a novel technique to prevent access to the malware’s other files and increase the malware’s persistence on the system, Bingham said.
However, the most interesting aspect of this attack is how the infected computers are actually used by the attackers.
Botnets are one of the main tools used by cyber criminals because they are versatile. They can be used to send email spam, launch distributed denial-of-service attacks, solve CAPTCHA challenges on websites, perform online banking fraud or click fraud and many other activities.
In this particular case, the botnet’s operators are using it to power a commercial proxy service called Proxybox.name.
Because they can hide a user’s real IP (Internet Protocol) address, proxy servers are commonly used to evade online censorship attempts, bypass region-based content access restrictions or, in many cases, engage in various illegal actions.
Fully anonymous and transparent SOCKS proxy servers — proxy servers that can route traffic for any application, not just browser connections — are hard to come by and this is exactly what the Proxybox service offers.
According to the Proxybox website, for US$25 a month, customers can get access to 150 proxy servers from the countries they desire, while for $40 they can get access to an unlimited number of proxies. The service operators promise not to keep any access logs, which makes these servers perfect for criminal use because there will be no logs for authorities to request and review.
“We expect over 2,000 bots online all the time,” the Proxybox operators say on their website. However, after monitoring the botnet’s command and control servers, the Symantec researchers believe that there are around 40,000 active proxies at any given time.
The Proxybox malware is distributed in a variety of ways, including through drive-by download attacks launched from compromised websites that host commercial exploit toolkits like Blackhole, Bingham said.
Advertisements for the Proxybox service seen on underground forums were linked to ads for other black market websites that offer VPN (virtual private network), private antivirus scanning or proxy testing services and offer the same ICQ contact number and payment methods: WebMoney, Liberty Reserve and RoboKassa.
“We started to look into the payment accounts associated with these websites, and found out that they were tied to an individual with a Ukrainian name living in Russia,” Bingham said. “The additional details associated with this WebMoney account are undisclosed as we work with law enforcement in countries associated with the command-and-control servers.”
The risks for users whose computers are infected with Backdoor.Proxybox are significant. Because of the unauthorised proxy servers running on their systems, their IP addresses might be involved in a lot of illegal activities without their knowledge.
The report further dims the prospect of a Wall Street initial public offering by Huawei, according to one IPO observer. The company has been exploring a possible IPO, partly to provide more transparency that could foster greater trust within the U.S., according to the Wall Street Journal. Sam Hamadeh, CEO of private-company information source PrivCo, said the report probably further discounted the sum Huawei might raise in an offering.
“Even before the news in the last 24 hours, an IPO wasn’t likely,” Hamadeh said. “That sort of declaration by a Congressional panel is exactly the kind of thing that would frighten off investors.” One financial concern may be that the panel’s report could cause a domino effect in which other countries raise alarms on the same issues, he said. But Huawei might yet launch an offering in Hong Kong or London, Hamadeh said.