Users who signed up for the inexpensive proxy service, Proxybox.name, ended up installing a Trojan horse linked to a botnet first detected last summer.
Symantec researchers reverse engineered the Backdoor.Proxybox malware and unearthed a major black hat operation and perhaps the actual malware developer.
The investigation started with a legitimate looking Russian Web site advertising access to thousands of proxies for a low monthly fee a user could pay via WebMoney, Liberty Reserve and RoboKassa. Proxy services often mask a location and send information anonymously.
“The dropper installs the payload as a service on the computer, copying the payload executable to the system and installing the rootkit,” said Symantec researcher Joseph Bingham. “The rootkit attempts to protect the malicious payload and all other files associated with the threat to increase the threat’s persistence. The rootkit implements a novel method to avoid device-stack file scanning. The payload itself is a DLL, which is executed when the computer starts and acts as a low-level proxy service that enters the compromised computer into a large botnet used for funneling traffic.”
An analysis of the threat indicates “when the computer starts, the payload contacts a hard-coded server address and requests a set of
PHP pages to configure itself, set up backup command servers, test connection speed, and set up client authentication. The command server provides a list of peer servers to use as backups, runs a speed check on the compromised computer, and assigns a password for proxy authentication.”
A closer inspection of the command-and-control server showed the botnet maintains some 40,000 users online at any time. Advertisements for Proxybox.name appear on four other Web sites all linked to the same author. They include vpnlab.ru, avcheck.ru and whoer.net, which provides proxy testing.
This led Symantec researchers to believe the same Russian hacker is behind the black hat operation. The company is working with law enforcement where they located the command-and-control servers.