Symantec has pulled back some of the covers from the Proxybox botnet.
Symantec researchers revealed that their monitoring of the botnet's command-and-control server during the last few months shows the botnet controller tries to keep the size of the botnet at around 40,000 active users at any given time.
The threat is comprised of three components: a dropper, the payload and a rootkit.
"The dropper installs the payload as a service on the computer, copying the payload executable to the system and installing the rootkit," explained Symantec's Joseph Bingham, in a blog post. "The rootkit attempts to protect the malicious payload and all other files associated with the threat to increase the threat's persistence. The rootkit implements a novel method to avoid device-stack file scanning. The payload itself is a DLL, which is executed when the computer starts and acts as a low-level proxy service that enters the compromised computer into a large botnet used for funneling traffic."
"The controller has used several mediums for distribution, including Blackhole Web exploits," he continued. "Interestingly, each command server also provided the botnet client with a backup server with a URL of [http://]proxybox.name…This URL was found in advertisements in underground forums such as Antichat.ru, a Russian forum for transactions involving shell and exploit scripts, proxy and VPN services, malware installs, and other disreputable services."
The advertisements by this user provide a link between four dubious websites, all authored by the same individual, identified by Symantec only as an entrepreneurial Russian hacker.
"These websites all revolve around proxies and malware distribution," Bingham noted. "One website provides proxy access (proxybox.name), another provides VPN services (vpnlab.ru), one provides private antivirus scanning (avcheck.ru), and one provides proxy testing services (whoer.net). These four sites are also connected by static cross-linking advertisements."
The author of these sites provides the same ICQ support number to the users of the Web services, and several of the sites offer services for money using the following payment gateways: WebMoney, Liberty Reserve, and RoboKassa, Bingham wrote.
"We started to look into the payment accounts associated with these websites, and found out that they were tied to an individual with a Ukrainian name living in Russia," he added. "The additional details associated with this WebMoney account are undisclosed as we work with law enforcement in countries associated with the command-and-control servers."
Symantec's analysis can be found here.