Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Symantec: Russian Hacker Behind Proxybox Trojan

Symantec has pulled back some of the covers from the Proxybox botnet.

Symantec researchers revealed that their monitoring of the botnet’s command-and-control server during the last few months shows the botnet controller tries to keep the size of the botnet at around 40,000 active users at any given time.

The threat is comprised of three components: a dropper, the payload and a rootkit.

Symantec has pulled back some of the covers from the Proxybox botnet.

Symantec researchers revealed that their monitoring of the botnet’s command-and-control server during the last few months shows the botnet controller tries to keep the size of the botnet at around 40,000 active users at any given time.

The threat is comprised of three components: a dropper, the payload and a rootkit.

“The dropper installs the payload as a service on the computer, copying the payload executable to the system and installing the rootkit,” explained Symantec’s Joseph Bingham, in a blog post. “The rootkit attempts to protect the malicious payload and all other files associated with the threat to increase the threat’s persistence. The rootkit implements a novel method to avoid device-stack file scanning. The payload itself is a DLL, which is executed when the computer starts and acts as a low-level proxy service that enters the compromised computer into a large botnet used for funneling traffic.”

“The controller has used several mediums for distribution, including Blackhole Web exploits,” he continued. “Interestingly, each command server also provided the botnet client with a backup server with a URL of [http://]proxybox.name…This URL was found in advertisements in underground forums such as Antichat.ru, a Russian forum for transactions involving shell and exploit scripts, proxy and VPN services, malware installs, and other disreputable services.”

The advertisements by this user provide a link between four dubious websites, all authored by the same individual, identified by Symantec only as an entrepreneurial Russian hacker.

“These websites all revolve around proxies and malware distribution,” Bingham noted. “One website provides proxy access (proxybox.name), another provides VPN services (vpnlab.ru), one provides private antivirus scanning (avcheck.ru), and one provides proxy testing services (whoer.net). These four sites are also connected by static cross-linking advertisements.”

The author of these sites provides the same ICQ support number to the users of the Web services, and several of the sites offer services for money using the following payment gateways: WebMoney, Liberty Reserve, and RoboKassa, Bingham wrote.

“We started to look into the payment accounts associated with these websites, and found out that they were tied to an individual with a Ukrainian name living in Russia,” he added. “The additional details associated with this WebMoney account are undisclosed as we work with law enforcement in countries associated with the command-and-control servers.”

Symantec’s analysis can be found here.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Endpoint Security

Microsoft this week shared details on CVE-2022-42821, a Gatekeeper bypass vulnerability that Apple recently addressed in macOS Ventura, Monterey, and Big Sur.