Proxy networks fill a necessary function for users worldwide, allowing secure Web connections free of corporate or national oversight. According to Softpedia, however, a new type of malware — dubbed ProxyBack — is being used to convert victim computers into unwilling proxy servers, which are in turn leveraged to create fake accounts on dating sites or sold as secure options to unwitting customers. While this proxy-proliferating malware has been active since 2014, researchers are only now cracking the code and discovering the real value of these malware proxies.
As noted by SecurityWeek, ProxyBack is distributed mainly in Europe and targets educational institutions. It’s not hard to see why; large colleges and universities often have hundreds or even thousands of Internet-connected desktops that aren’t monitored by individual users. Once infected, the computer is instructed to create a tunnel over transmission control protocol (TCP), which leads back to the attacker-controlled proxy server. Because the infected PC is responsible for establishing this connection, the attack server can send both instructions and traffic without fear of stepping on any firewalls.
Security company Palo Alto Networks suggested that up to 11,000 machines may have been compromised by ProxyBack, which are then used to funnel Web traffic onto the Internet at large. What’s more, Palo Alto detected a significant traffic increase on compromised servers but found that data through these proxies was neither anonymous nor secure.
New Approach to Proxies
In most cases, malware infections are designed to obfuscate the location of attack servers, allowing them to function as anonymous points of compromise. Not so with ProxyBack: As noted by Softpedia, infected computers are being sold as reliable proxy servers to customers in Russia by services like buyproxy.ru. That service claims to have been in operation for seven years, offers between 700 and 3,000 servers each day and has rental options between four and 24 hours.
While it’s unclear if buyproxy created or distributed the malware, the use of public IP addresses and specific ID numbers generated for each infection allowed researchers to link fake proxies with advertised servers on buyproxy’s website.
This isn’t the first instance of this kind of corporatized malware. For example, the communications director of the Raspberry Pi Foundation, Liz Upton, recently received an email asking the foundation to place malware on its small controllers, which would automatically direct users to a particular website. The “business officer” reaching out was more than willing to offer money in exchange for the privilege, apparently hoping that enough cash would convince the foundation to abandon its moral compass.
Here’s the takeaway when it comes to ProxyBack: Malware creators have moved beyond a smash-and-grab mentality to one that focuses on quietly infecting systems and then using them to further seemingly legitimate business aims. In other words, desktops are quickly becoming the newest cybercriminal currency as server potential — rather than stored data — becomes the big value-add for attackers.