Hundreds of thousands of users who signed up for an inexpensive proxy service called Proxybox.name got quite a steal alright. They ended up installing a Trojan horse linked to a botnet first detected last summer.
Researchers at Symantec reverse engineered the Backdoor.Proxybox malware and unearthed a major black hat operation and perhaps the actual malware developer.
The investigation started with a legitimate looking Russian Web site advertising access to thousands of proxies for a ridiculously low monthly fee that could be paid via WebMoney, Liberty Reserve and RoboKassa. Proxy services often are used to mask a location and send information anonymously.
In a blog post today, Symantec researcher Joseph Bingham explains how the malware works:
“The dropper installs the payload as a service on the computer, copying the payload executable to the system and installing the rootkit,” he said. “The rootkit attempts to protect the malicious payload and all other files associated with the threat to increase the threat’s persistence. The rootkit implements a novel method to avoid device-stack file scanning. The payload itself is a DLL, which is executed when the computer starts and acts as a low-level proxy service that enters the compromised computer into a large botnet used for funneling traffic.”
An analysis of the threat indicates “when the computer starts, the payload contacts a hard-coded server address and requests a set of PHP pages to configure itself, set up backup command servers, test connection speed, and set up client authentication. The command server provides a list of peer servers to use as backups, runs a speed check on the compromised computer, and assigns a password for proxy authentication.”
A closer inspection of the command-and-control server showed the botnet maintains some 40,000 users online at any time. Advertisements for Proxybox.name appear on four other Web sites all linked to the same author. They include vpnlab.ru, avcheck.ru and whoer.net, which provides proxy testing.
This led Symantec researchers to believe the same Russian hacker is behind the black hat operation. The company is working with law enforcement where the command-and-control servers are located.