Cybercriminals are using computers infected with a particular piece of malware to power a commercial proxy service that funnels potentially malicious traffic through them, according to security researchers from Symantec.
Three months ago, Symantec researchers started an investigation into a piece of malware called Backdoor.Proxybox that has been known since 2010, but has shown increasing activity recently.
"Our investigation has revealed an entire black hat operation, giving us interesting information on the operation and size of this botnet, and leading us to information that may identify the actual malware author," Symantec researcher Joseph Bingham said Monday in a blog post.
The malware is a Trojan program with rootkit functionality that transforms the computer into a proxy server. The rootkit component uses a novel technique to prevent access to the malware's other files and increase the malware's persistence on the system, Bingham said.
However, the most interesting aspect of this attack is how the infected computers are actually used by the attackers.
Botnets are one of the main tools used by cybercriminals because they are versatile. They can be used to send email spam, launch distributed denial-of-service attacks, solve CAPTCHA challenges on websites, perform online banking fraud or click fraud and many other activities.
In this particular case, the botnet's operators are using it to power a commercial proxy service called Proxybox.name.
Because they can hide a user's real IP (Internet Protocol) address, proxy servers are commonly used to evade online censorship attempts, bypass region-based content access restrictions or, in many cases, engage in various illegal actions.
Fully anonymous and transparent SOCKS proxy servers -- proxy servers that can route traffic for any application, not just browser connections -- are hard to come by and this is exactly what the Proxybox service offers.
According to the Proxybox website, for US$25 a month, customers can get access to 150 proxy servers from the countries they desire, while for $40 they can get access to an unlimited number of proxies. The service operators promise not to keep any access logs, which makes these servers perfect for criminal use because there will be no logs for authorities to request and review.
"We expect over 2,000 bots online all the time," the Proxybox operators say on their website. However, after monitoring the botnet's command and control servers, the Symantec researchers believe that there are around 40,000 active proxies at any given time.
The Proxybox malware is distributed in a variety of ways, including through drive-by download attacks launched from compromised websites that host commercial exploit toolkits like Blackhole, Bingham said.
Advertisements for the Proxybox service seen on underground forums were linked to ads for other black market websites that offer VPN (virtual private network), private antivirus scanning or proxy testing services and offer the same ICQ contact number and payment methods: WebMoney, Liberty Reserve and RoboKassa.
"We started to look into the payment accounts associated with these websites, and found out that they were tied to an individual with a Ukrainian name living in Russia," Bingham said. "The additional details associated with this WebMoney account are undisclosed as we work with law enforcement in countries associated with the command-and-control servers."
The risks for users whose computers are infected with Backdoor.Proxybox are significant. Because of the unauthorized proxy servers running on their systems, their IP addresses might be involved in a lot of illegal activities without their knowledge.