ProxyBack Malware Turns Infected Computers into Internet Proxies

An anonymous reader writes: A new malware family called ProxyBack infects PCs and transforms them into a Web proxy. ProxyBack malware works by infecting a PC, establishing a connection with a proxy server controlled by the attackers, from where it receives instructions, and later the traffic it needs to route to actual Web servers. Each machine infected with ProxyBack works as a bot inside a larger network controlled by the attackers, who send commands and update instructions via simple HTTP requests. Some of the people infected with this malware, mysteriously found their IP listed on the buyproxy.ru Web proxy service.A technical write-up of the infection steps and various malware commands is available on the Palo Alto Networks blog.

Why is this news?

[xxxJonBoyxxx]

Rooting a computer for the purpose of making it a proxy or a zombie to probe or attack other hosts has been a core goal of attackers for at least 20 years now. What makes this discovery special?

Re:Why is this news?

[bengoerz]

This method of monetizing a botnet by openly selling proxy access is rather unusual. It's a departure from the old standbys: clickfraud and randsomware.

Re:Why is this news?

[darkain]

Only if you're new to the game, perhaps? But compromised proxy lists for purchase were around back in the '90's... How is this any different now?

Re:Why is this news?

[bloodhawk]

purchase and rent of botnets has been common for years, there is a large market for this and it isn't new.

Re:Why is this news?

[h33t+l4x0r]

Openly? Hardly. No sir, you have somehow accidentally stumbled upon the russian darkwebs.

Re:Why is this news?

its not, the amount of stupidity has increased 1000 fold though

Re:Why is this news?

[campuscodi]

Did you read the entire summary? This is not a regular proxy from where hackers can hide attacks, this is a proxy in a Web proxy service listed online, where dumb dumbs like us went to hide our IP before Tor came around.

Re:Why is this news?

[h33t+l4x0r]

What's the difference?

Re:Why is this news?

No shit Sherlock.

But this is a new family of proxy-ing malware that has gained momentum and has been noticed by a larger number of people recently as their IPs show up in a proxy list.

That's like saying every new release of Windows isn't news, or Linux, or MacOS (it isn't) isn't news.
Hell, we might as well just stop posting about anything ever because someone else has said it once before.
Your post has probably already been posted once before with a 50-70% correlation.
You should have just ended it at "zombie to probe" and be done with it. Pretty sure that's a unique term on here.

Re:Why is this news?

[campuscodi]

Instead of one bad guy using your PC to hide his location... you have 3000 porn addicts funneling tranny and child pr0n traffic through your PC. :))))

Re:Why is this news?

[xxxJonBoyxxx]

>> Did you read the entire summary?

Hell no. This is SlashDot. I read the headline, glanced at the first line of the summary and then started to type my comment. :P

Re:Why is this news?

They are obviously new here.

Re:Why is this news?

Compromised proxies from the 90s came from vulnerable systems sitting on the internet, becoming compromised after direct attacks. This is the result of a botnet. The proxy exit nodes are also behind NAT and Firewalls, being accessed through a reverse tunnel. This is most certainly drastically different.

is this Timberlake's idea?

[turkeydance]

and what's this proxy he's bringing?

ProxyBack Malware makes proxies?

[SeaFox]

I wouldn't have expected that in a million years!

Huh?

How is this anything different than botnets and the like that have been around for years? Slahdot reporting in!

Re: This is the future Republicans...

I once had a Mexucan friend, and he was named that, but it was spelled differently.

16th post

16th post bitches

Re: This is the future Republicans...

[rubycodez]

Republicans like Bill Gates? 8D

PS4 pwned network

An article about this problem on PS4 machines would have been more relevent.

FTFY FTW

[Zero__Kelvin]

"A new malware family called ProxyBack infects PCs and servers running Microsoft Windows and transforms them into a Web proxy. As usual, PCs * running all other Operating Systems, including but not Limited to Linux, Android, iOS, and OS X are not vulnerable.

FTFY

I find it interesting that the article never mentions Windows in the text, or that it only runs on Windows, as indicated in the graphics. The word Windows appears 16 times (at least) but zero times in a searchable format.

* Some people claim that the term PC refers specifically to a system with Windows. Their argument invariably represents an ignorance with respect to the history of both Microsoft and the various PCs.

Re:FTFY FTW

* Some people claim that the term PC refers specifically to a system with Windows. Their argument invariably represents an ignorance with respect to the history of both Microsoft and the various PCs.

Some people also claim that the term "Linux" refers to a system with GNU/Linux. Their argument invariably represents an ignorance with respect to the history of both the GNU userland tools and the Linux kernel. As long as we're being pedantic...

Re:FTFY FTW

Yup, it now increasingly refers to systemd/Linux which itself represents an ignorance all it's own.

Re:FTFY FTW

There should be a disambiguation of the term "PC" when it should say "Windows PCs". Windows is shitware.

Re:FTFY FTW

They why does most of the planet's servers and desktops combined run it? Everyone must be dumb except you, right?

Re:FTFY FTW

Exactly right. Even M$ uses Linux servers on critical systems.

Re:FTFY FTW

Saying it infects PCs does a disservice to hardware companies like Dell, HP, etc. It is clearly a Windows problem so it should say that it infects "Windows PCs." Better yet it should just say that it infects "Microsoft Windows".

Re: This is the future Republicans...

[JustAnotherOldGuy]

Republicans like Bill Gates? 8D

I don't know about Bill, but I know his father was wetting his pants trying to drum up support for an income tax in Washington state. Amazingly enough, it would have reduced his taxes, funny how that works, huh? No one bought his bullshit, though. He's given money to both parties but he sure walks and talks like a Republican.

It happens every few years here- some dickweasel scumbag tries to float an income tax proposal and it gets totally shot to pieces, the voters reject it out of hand and bury it a thousand feet deep with a resounding "FUCK NO!" at the polls.

Someones gotta click the ads

I can't say I've ever met someone who clicked on an to buy something on purpose... I imagine google ads and more are just a big fake numbers game anyway..

Re: This is the future Republicans...

Why are you and the other morons here wasting our time with your off topic bullshit? Go away and take your pseudo political wannabe expert crap to aol please.

Easy to stop this (via hosts)... apk

0.0.0.0 creativanalyticks.com
0.0.0.0 czonainsit4e.com
0.0.0.0 depasistat.com
0.0.0.0 drythisworld.com
0.0.0.0 hclickmeterg.com
0.0.0.0 heljeanvos.com
0.0.0.0 iholpforyou4.com
0.0.0.0 lancer-moto.com
0.0.0.0 markovqwesta.com
0.0.0.0 masyaget.com
0.0.0.0 mintoolses.com
0.0.0.0 nsit4esite.com
0.0.0.0 papausafr.com
0.0.0.0 pllsest2.com
0.0.0.0 qforumjail.com
0.0.0.0 robjertovines.com
0.0.0.0 singlearthousse.com
0.0.0.0 skyjfasters.com
0.0.0.0 solocoufandle.com
0.0.0.0 sweedfolz.com
0.0.0.0 texasgodchang.com
0.0.0.0 truedonell.com
0.0.0.0 uarushelp.com
0.0.0.0 xclotusm.com

0.0.0.0 server6790.megahoster.net
0.0.0.0 megahoster.net
0.0.0.0 static.53.212.9.5.clients.your-server.de
0.0.0.0 lw378.ua-hosting.company
0.0.0.0 ua-hosting.company
0.0.0.0 vps.node710.doip.net
0.0.0.0 node710.doip.net
0.0.0.0 doip.net
0.0.0.0 008.steadyhost.ru
0.0.0.0 steadyhost.ru
0.0.0.0 jqtw013.steadyhost.ru
0.0.0.0 static-ip-62-75-255-52.inaddr.ip-pool.com
0.0.0.0 inaddr.ip-pool.com
0.0.0.0 ip-pool.com
0.0.0.0 dragon299.startdedicated.net
0.0.0.0 startdedicated.net
0.0.0.0 ns3099244.ip-91-121-193.eu
0.0.0.0 ip-91-121-193.eu
0.0.0.0 104.238.173.238.vultr.com
0.0.0.0 vultr.com
0.0.0.0 d35.default-host.net
0.0.0.0 default-host.net
0.0.0.0 d26.default-host.net
0.0.0.0 espad.drugfreedu.org
0.0.0.0 drugfreedu.org
0.0.0.0 chicago030.dedicatedpanel.com
0.0.0.0 dedicatedpanel.com

* Put those entries in your hosts file & voila (see subject) - they're detected, blocked, & you're protected!

APK

P.S.=> For the BEST possible protective hosts file (that also speeds you up 2 ways in hardcoded favorites you create + blocking ads also)? Well - you know:

APK Hosts File Engine 9.0++ SR-4 32/64-bit:

http://start64.com/index.php?o...

Obtains data for the aforementioned from 10 reputable & reliable sites in the security community... apk

Ohhh, this is going to be fun!

[Opportunist]

Since it is somewhat unlikely that these proxies are going to be used to promote freedom of speech in countries where such a thing is unknown and rather for, let's say, less benign reasons, we may already wait for the first raids on infected machines that happened to be used to get access to child porn or even copyrighted content.

It just might make people consider that securing their machines could possibly, just maybe, be in their own interest.

Freedom malware next.

The payload forces microsoft windows PCs to become tor exit nodes, reducing the proportion of exit nodes controlled by malicious states, improving the security and speed for those using tor and leading to distributed hidden services with end to end encryption that directly compete with the centralized platforms provided by corporations (who have to give backdoor access/encryption keys to the same malicious states by law.)

Internet usage stalls, internet giants become insolvent, paid cloud platforms go the way of the dodo and advertising via other people bandwidth becomes impossible.

We can dream I suppose.

Translated: take away grandma's PC and give tablet

You make a point for taking away grandma's PC and giving her a tablet sooner rather than later. I don't approve of grandmas getting hauled away or harassed by the authorities.

Something that runs on Windows... apk

See subject: Stops it (& others like it too) COLD -> http://it.slashdot.org/comment...

* :)

(Courtesy of "yours truly", gratis... enjoy, should you elect to try it (it's free, safe, & works doing far more for added speed, security, reliability, + anonymity for FAR LESS resources consumed than any other single "so-called 'solution'" which most if not ALL will merely SLOW YOU DOWN instead!))

APK

P.S.=> Lastly - you seem to fail to realize that Windows runs on MORE personal computers + servers (by FAR here, like 94.5++% iirc on desktops & 50/50 on servers vs. Linux) - so thus?

Windows IS going to be "targetted for termination" THE MOST by miscreant "ne'er-do-well" criminals online... why?

Simple economics - BEST "ROI" for attackers, since more users use it & since it's most used on pc desktops & servers combined

HOWEVER:

Not on ones protected by hosts + firewalls as shown in that link! apk

That it's SO EASY for this to stop it... apk

See subject & this (says & DOES it all vs. it easily) http://it.slashdot.org/comment... w/ something you already NATIVELY have...

APK

P.S.=> Enjoy... apk

Re:That it's SO EASY for this to stop it... apk

Congrats, retard.

You've spammed the same message TWO (2) times in reply to one comment.

AND did NOT get down-voted to oblivion.

You must be proud of yourself; your spam didn't get downvoted.

AB+ doesn't spam, nor does it get downvoted. ONLY apk can achieve those feats, spamming and being downvoted... HARD.

Re:That it's SO EASY for this to stop it... apk

Enjoy your reply now having a -1 down moderation weirdo and get on topic.

I've obviously run you dry of modpoints... apk

See subject: Not that an off topic "ne'er-do-well" like you gets that many but it's what I do vs. idiots like yourself - makes me laugh @ you (can you hear it? hahahahaha).

* It's SO EASY TO DO for me, lol...

APK

P.S.=> Now: What's not easy for a retrograde idiot like yourself is proving me wrong that hosts files blocks work here (& even firewalls I noted if you go that route for the 2nd half of the article's IP addresses, which I reverse DNS resolved for hosts usage) perfectly (+ efficiently) - what I've created is useful but morons like yourself aren't capable of such feats (& you know it)... apk

Re: I've obviously run you dry of modpoints... apk

Mr. Apk is prolly victimizing those poor connections to post here on /..

Tor Exit server Zombie Malware

[Danathar]

It occurred to me that one thing we haven't seen yet (or maybe?) is some sort of malware or Trojan that infects computers to run as exit nodes for TOR.

Imagine how that would affect the overall TOR network.

Re:Tor Exit server Zombie Malware

I recall reading something about that months ago, might have been here.

AdBlock+ = inferior & 'souled-out' vs. hosts

AB+ can't stop this & can adblock+ do 16 things hosts do 4 speed, security & reliability:

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C's
3.) Protect vs. dynamic dns botnets + stop C&C
4.) Protect vs. DGA botnets + stop C&C
5.) Protect vs. downed DNS (4 reliability)
6.) Protect vs. DNS redirect poisoning
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phish
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up surfing (adblock & hardcoded favs)
14.) Works on anything webbound multiplatform.
15.) EZ data control
16.) Block ads better vs. addons more efficiently

* ANSWER ="NO" on ab+ doing it as well or @ ALL + hosts = on devices natively.

APK

P.S.=> Ab+ does less vs. hosts less efficiently - hosts do MORE w/ less + Hosts start w/ IP stack before REDUNDANT inefficient addons BEGIN operation (as 1st resolver).

---

Ab+'s a 128-151mb memory hog http://cdn.ghacks.net/wp-conte... (hosts use 3-11mb w/ my program initially). Even FireFox 41 adblock eats 65++mb http://www.ghacks.net/2015/06/...

---

ClarityRay defeats it via native browser methods!

---

Ab+'s bribed not to work by default http://www.businessinsider.com... & ABP bought out adblock http://www.theregister.co.uk/2...

---

Ab+ adds complexity in slower usermode (w/ more messagepassing overhead + context switch vs. hosts in kernelmode).

---

AdBlock's SLOWER: http://superuser.com/questions...

---

What's best?

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee who verified its source is safe http://forum.hosts-file.net/vi... ) hosts & recommends it http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

&

It's safe by 57 antivirus programs in its 64-bit model https://www.virustotal.com/en/...

+

32-bit model too https://www.virustotal.com/en/...

& Installer -> http://f.virscan.org/APKHostsF...

Re:AdBlock+ = inferior & 'souled-out' vs. host

Congrats, retard.

You've spammed the same message over THREE (3) times in reply to one comment.

AND ALL of themgott down-voted to oblivion.

You must be proud of yourself; ALL of your spam got downvoted.

AB+ doesn't spam, nor does it get downvoted. ONLY apk can achieve those feats, spamming and being downvoted... HARD.

As usual my points are inviolate... apk

See subject: Thanks for proving it - You're clearly unable to validly technically prove me wrong on hosts superiority to redundant inefficient almostalladsblocked which can't provide as much in the way of added speed, security, reliability, & anonymity for users online!

* Thank-You!

(Seriously - it's fools like yourself that continually prove my points for me & make ME look GOOD!)

APK

P.S.=> Now, you just KNOW I've just GOTTA SAY IT, now don't you? Ah, but of COURSE you do:

THIS? This was just "too, Too, TOO EASY - just '2ez'" & it always is vs. unidentifiable true anonymous cowards who troll me off topic w/ illogical ad hominem attacks that fail... apk

Re:As usual my points are inviolate... apk

it's not about proving you wrong, it's about proving that you're an idiot and an annoying little shitstain

Re: That it's SO EASY for this to stop it... apk

Too bad someone disagrees with you. hes sitting at neutral.

You can't prove me wrong's more like it

See subject: Thanks for projecting what YOU are - an annoying idiot shitstain but it's not me you annoy. It's yourself since you're useless & doubtless others too being an off-topic troll.

* To tell you the truth? Now I am damn glad I annoy the likes of you - you have NO IDEA how much pleasure I take in it!

APK

P.S.=> You're nothing more than a "ne'er-do-well" do nothing punk & you KNOW it... apk

Re: That it's SO EASY for this to stop it... apk

What's your problem? Apk's fix here works against the virus this article tells us about http://it.slashdot.org/comment...

Re:That it's SO EASY for this to stop it... apk

Asking you the same question I did earlier above. What's your problem? Apk's fix against the virus the article talks about works http://it.slashdot.org/comment... so are you the miscreant writing this virus or something and you're upset apk shut you down so easily? Apk's informative post helps us moron!

Re:That it's SO EASY for this to stop it... apk

What's your problem? Apk's fix here works against the virus this article tells us about http://it.slashdot.org/comment...

Re:That it's SO EASY for this to stop it... apk

This 100% sums up my feelings about APK

Re:That it's SO EASY for this to stop it... apk

Asking you the same question I did earlier above. What's your problem?

I'm sick of mentally ill spammers.

Apk's informative post helps us moron!

Then you're a fucking retard too. Host file manipulation technique is ancient, only works on individual computers and not most mobile solutions, and his spamming is only informative to other morons.

Set up your own DNS with black-holing of malicious sites if you want to do it right, but spamming multiple times in a mentally ill fashion is for wankers and clueless newbies. Glad you fit that profile and have been helped by it, but it's an incomplete "solution".