For as long as people have been doing productive things with software, there have been jerks making malware to screw things up and make money. As security gets better, the malware has gotten smarter over the years. Some modern variants like ransomware are pretty clever, but Palo Alto Networks has just reported discovery of something new. ProxyBack sets up anonymous proxies on infected PCs to route traffic over the victim’s connection.
There is demand for proxy connections in various countries, for both legitimate and non-legitimate uses. When ProxyBack managed to infiltrate a system (probably via deceptive software downloads), it goes to work setting up a reverse tunnel on the machine. This allows ProxyBack to circumvent security measures like software and hardware firewalls that prevent the flow of data.
ProxyBack reaches out over TCP to a malicious proxy server to verify that it has been deployed correctly. The server then sends a test ping to ensure that the proxy has a connection to the open internet on the other side. If all goes as planned, that’s when the fun starts. The victim machine now becomes a hub for a large volume of proxy data, and not all of the data is related to the activities of the malware authors. It appears that unwitting third-parties are making use of these proxy connections.
Palo Alto Networks analyzed the data coming through a ProxyBack machine, and found some of it was general traffic to sites like Facebook, Twitter, Wikipedia, and so on. This is probably coming from regular people who don’t know their data is being routed over a malware-infected machine. This is a problem not only for the victim of ProxyBack, but also the people using the proxies. Their data isn’t going through a secure server someplace, but a malware-infected PC. It would be trivially easy to intercept those packets.
The bulk of the data going through ProxyBack connections appears to be pretty malicious in its own right. According to the researchers, most of the ProxyBack bandwidth is dedicated to an automated system that creates fake dating profiles on sites like Match.com and OkCupid. Tracing the connection back led to a site called buyproxy.ru. Researchers actually spotted their test machines listed as available proxies on the buyproxy site. The company claims the proxies they provide are encrypted and use proprietary “traffic tunneling” technology. Proprietary malware technology more like it, right?
Palo Alto Networks notes that there is no direct evidence that the owners of buyproxy.ru are the ones behind the ProxyBack malware, but it is definitely designed to work with the buyproxy service. Now that it has been identified, malware scanners can start removing ProxyBack. As with most forms of malware, it’ll probably be back.