Advertisement

New malware sets up anonymous proxies on infected PCs

Bandwidth is siphoned from infected computers and secretly sold for profit

ProxyBack

From ransomware to botnets, all web attacks designed to steal money and data or disrupt service. Network and enterprise security firm Palo Alto Networks discovered a new weapon in the continuous cybersecurity-versus-hackers arms race that takes the form of something slightly different: ProxyBack, a virus that turns the infected machine into an anonymous proxy host.

Proxy connections are greatly demanded in nations with heavily-restricted Internet access because they obscure users’ IP address similar to VPNs. But unlike VPNs, proxies are significantly less effective and easier to trace.

ProxyBack bypasses firewalls and anti-virus software that normally detect proxy traffic by creating a reverse tunnel on the compromised system, allowing requests to pass through undetected. Next, it reaches out over TCP to a malicious proxy server to verify that it’s been properly set-up, beckoning the server to send out a test ping to ensure that the proxy tunnel is open on both sides.

Palo Alto notes that the infected machine it monitored showed a large volume of proxy traffic passing through, dedicated to both nefarious activity as well as surfing ordinary sites like Facebook, Twitter, and Wikipedia — the latter, presumably proxy users who are unaware that their traffic is being funnel through a hijacked and unsecured machine, instead of the secured service they paid for.

The malicious activity made up the bulk of the ProxyBack’s bandwidth, and was used to set up fake profiles on Match.com, OkCupid, eBay, and Craigslist. When the researchers traced the connection back to its source, they discovered a subscription proxy service called buyproxy.ru, which claims to route traffic using “proprietary technology of traffic tunneling.”

Digging deeper, the team discovered their very own test machine listed as one of the available proxies on the site, further insinuating a possible link between the virus and the proxy-seller, although there’s no direct evidence that buyproxy.ru is behind the malware.

Most competent malware scanners should be able to remove the virus now that it’s been identified, although, as is usually the case with these things, it may return in some shape of form.

Source: ExtremeTech

Advertisement



Learn more about Electronic Products Magazine

Leave a Reply