December 30, 2015 By Douglas Bonderud 2 min read

Proxy networks fill a necessary function for users worldwide, allowing secure Web connections free of corporate or national oversight. According to Softpedia, however, a new type of malware — dubbed ProxyBack — is being used to convert victim computers into unwilling proxy servers, which are in turn leveraged to create fake accounts on dating sites or sold as secure options to unwitting customers. While this proxy-proliferating malware has been active since 2014, researchers are only now cracking the code and discovering the real value of these malware proxies.

Getting In

As noted by SecurityWeek, ProxyBack is distributed mainly in Europe and targets educational institutions. It’s not hard to see why; large colleges and universities often have hundreds or even thousands of Internet-connected desktops that aren’t monitored by individual users. Once infected, the computer is instructed to create a tunnel over transmission control protocol (TCP), which leads back to the attacker-controlled proxy server. Because the infected PC is responsible for establishing this connection, the attack server can send both instructions and traffic without fear of stepping on any firewalls.

Security company Palo Alto Networks suggested that up to 11,000 machines may have been compromised by ProxyBack, which are then used to funnel Web traffic onto the Internet at large. What’s more, Palo Alto detected a significant traffic increase on compromised servers but found that data through these proxies was neither anonymous nor secure.

New Approach to Proxies

In most cases, malware infections are designed to obfuscate the location of attack servers, allowing them to function as anonymous points of compromise. Not so with ProxyBack: As noted by Softpedia, infected computers are being sold as reliable proxy servers to customers in Russia by services like That service claims to have been in operation for seven years, offers between 700 and 3,000 servers each day and has rental options between four and 24 hours.

While it’s unclear if buyproxy created or distributed the malware, the use of public IP addresses and specific ID numbers generated for each infection allowed researchers to link fake proxies with advertised servers on buyproxy’s website.

This isn’t the first instance of this kind of corporatized malware. For example, the communications director of the Raspberry Pi Foundation, Liz Upton, recently received an email asking the foundation to place malware on its small controllers, which would automatically direct users to a particular website. The “business officer” reaching out was more than willing to offer money in exchange for the privilege, apparently hoping that enough cash would convince the foundation to abandon its moral compass.

Here’s the takeaway when it comes to ProxyBack: Malware creators have moved beyond a smash-and-grab mentality to one that focuses on quietly infecting systems and then using them to further seemingly legitimate business aims. In other words, desktops are quickly becoming the newest cybercriminal currency as server potential — rather than stored data — becomes the big value-add for attackers.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today