Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malware Turns Infected Systems Into Proxies

Security researchers at Palo Alto Networks have discovered a new family of malware that secretly turns infected systems into Internet proxies.

Security researchers at Palo Alto Networks have discovered a new family of malware that secretly turns infected systems into Internet proxies.

Dubbed ProxyBack, the family includes over 20 malware versions and has been observed infecting systems since March 2014, Palo Alto Networks’ Jeff White explains in a blog post. According to the researchers, ProxyBack’s distribution in focused mainly in Europe, and its primary targets appear to be educational institutions.

Proxies are often used to protect one’s privacy on the Internet, but the malware creates a dangerous situation for users by turning their systems into proxies and abusing them as a proxy service. Moreover, the masterminds behind it managed to configure compromised machines in a manner that allows network traffic to flow through the proxies unhindered.

To ensure that the proxy is not blocked by firewalls or other network based restrictions, ProxyBack builds a reverse tunnel over TCP to an attacker controlled proxy server. Through having the infected system make the initial call home, the proxy server can send its traffic through the tunnel and to the Internet or to other devices on the network unrestricted.

This approach means that the victim proxy creates a hole in the firewall by establishing a TCP connection with the attacker controlled proxy server, while the server validates its access to the victim proxy and the ability to successfully route traffic through it. As soon as that happens, the victim proxy is unwillingly participating in the routing of web traffic to the Internet, the network security firm said.

The first step ProxyBack takes when establishing the tunnel is to make a connection to a web server hosting a PHP file that contains a URL to another PHP file on the same server. The second PHP file is used to send commands to the initial web server and grab information to set up the proxy connection.

The server is provided with information that includes the public IP address of the victim proxy and the ID for the victim proxy. The ID is used to keep track of the infected system, and Palo Alto Networks determined that over 11,000 machines could have been compromised to date.

ProxyBack also reports the version of the running malware and the running operating system, and the security researchers suggest that it might be running on Windows 2000 and older platform iterations, including Windows Home Server and Windows Server 2003 to Windows Server 2016, since it can report any of these versions to the proxy server.

Palo Alto Networks reports a sizable increase in traffic routed through infected systems and notes that ProxyBack is used as a proxy service, but that users’ traffic is neither anonymous nor safe from tampering. Most of the traffic is said to source from an automated system creating fake accounts across dating sites like “”, “”, “”, and “”.

Another website was “,” which matched a proxy service found within the security firm’s captures, with a GET Request Method to http://buyproxy[.]ru/proxy/ observed at less than 4 hours into the capture. However, there was also legitimate traffic coming from benign users, and it included sites like eBay, Twitter, Craigslist, Facebook, Wikipedia, and more.

The buyproxy[.]ru website claims to have been in business for over 7 years and to offer private proxy servers that are not in public proxy bases, while also saying that connections are encrypted and use a “proprietary technology of traffic tunneling.” Security researchers found various victim proxies listed on the website, suggesting that, if people behind “buyproxy[.]ru” are not responsible for the distribution of the ProxyBack malware, the malware is certainly designed for and used in their service.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.