Researchers have discovered a new type of malware that infects home computers and turns them into Internet proxies.
Palo Alto Networks, the security company that discovered this malware, thinks users' PCs are being used by a Russian company inside their Web proxy service.
Named ProxyBack, this malware was first observed in March 2014, but only recently have security researchers managed to understand how it works. According to Palo Alto experts, the malware has infected in most cases educational institutes in Europe, and targets regular PCs, transforming them into Internet proxies while illegally using them to funnel Internet traffic. Infected machines are not used to disguise the location of a cyber-crook, but as security researchers explain, they are advertised as reliable proxy servers listed in an online proxy service operated out of Russia.
ProxyBack malware works by infecting a PC, establishing a connection with a proxy server controlled by the attackers, from where it receives instructions, and later the traffic it needs to route to actual Web servers. Each machine infected with ProxyBack works as a bot inside a larger network controlled by the attackers, who send commands and update instructions via simple HTTP requests.
More than 11,000 computers infected with ProxyBack
Since each infected victim has its own ID parameter in the HTTP requests it receives from the C&C server, and this number is slowly incremented by one for each PC, Palo Alto Networks reports on a headcount of 11,149 infected computers by December 23, 2015. While the researchers did not find any concrete electronic trail to point the finger at the buyproxy.ru domain operators, researchers did discover that IPs of some infected computers appeared in their online offer, as IPs for some of its available proxy servers.
The buyproxy.ru service advertises that it operates between 700 and 3,000 proxy servers per day, that its proxies usually live between 4 and 24 hours, and a "backend proxy" is used to manage incoming connections, which are then distributed to its temporary proxies that have different IP addresses. This description sounds a whole lot like the ProxyBack malware C&C server and its bots.
"Whether the people behind 'buyproxy[.]ru' are responsible for the distribution of the ProxyBack malware or not is unknown; however, it is clear that the ProxyBack malware is designed for, and used in, their service," says Palo Alto's Jeff White.