Antimalware tools and techniques security pros need right now
A comprehensive collection of articles, videos and more, hand-picked by our editors
Palo Alto Networks researchers have discovered a malware family, dubbed ProxyBack, that somehow transforms infected...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
systems into Internet proxies. How does this ProxyBack malware work, and what is the purpose of turning victims' systems into anonymous Internet proxies?
Using a proxy can help an individual protect her privacy, much like using TOR, and Internet proxies can also be used to obfuscate the true source of an attack. One of the difficult aspects of using Source IP addresses in attack attribution is that the source IP could be a proxy or it might be a compromised system being used as a proxy. This challenge has been around as long as the Internet has existed and is not new. Attackers know this and frequently use it to their advantage in an attack. Malware authors have even started to incorporate this functionality into malware.
Palo Alto doesn't specify how the malware gets on the endpoint, but it could get installed via a drive-by download or any number of other ways. The ProxyBack malware first registers itself with a central system, where it sets up the bidirectional connection necessary to provide the network proxy service. This setup and the network traffic from the proxy service can be detected using the indicators of compromise that Palo Alto released in its report.
It appears that the specific purpose of the ProxyBack malware is to provide anonymous Internet proxies for a Russian proxy service. This could allow an attacker to obfuscate the source of an attack, or for an individual to use the proxy exit node to bypass regional content restrictions imposed by its local networks, governments or businesses. Palo Alto Networks released the IPS signature so customers can detect and block ProxyBack traffic. Enterprises should also inspect and analyze outbound network traffic for suspicious addresses and to ensure the traffic is being generated by a legitimate user instead of malware.
Learn how to stop phishing attacks that use proxy programs
Find out how to block malicious proxy attacks
Learn about the difference between a drive-by login and a drive-by download attack
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.