Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

ProxyBack malware: How does it affect Internet proxies?

ProxyBack malware turns infected user systems into Internet proxies, which can obfuscate the attack source. Expert Nick Lewis explains how the malware works, and its purpose.

Palo Alto Networks researchers have discovered a malware family, dubbed ProxyBack, that somehow transforms infected...

systems into Internet proxies. How does this ProxyBack malware work, and what is the purpose of turning victims' systems into anonymous Internet proxies?

Using a proxy can help an individual protect her privacy, much like using TOR, and Internet proxies can also be used to obfuscate the true source of an attack. One of the difficult aspects of using Source IP addresses in attack attribution is that the source IP could be a proxy or it might be a compromised system being used as a proxy. This challenge has been around as long as the Internet has existed and is not new. Attackers know this and frequently use it to their advantage in an attack. Malware authors have even started to incorporate this functionality into malware.

Palo Alto doesn't specify how the malware gets on the endpoint, but it could get installed via a drive-by download or any number of other ways. The ProxyBack malware first registers itself with a central system, where it sets up the bidirectional connection necessary to provide the network proxy service. This setup and the network traffic from the proxy service can be detected using the indicators of compromise that Palo Alto released in its report.

It appears that the specific purpose of the ProxyBack malware is to provide anonymous Internet proxies for a Russian proxy service. This could allow an attacker to obfuscate the source of an attack, or for an individual to use the proxy exit node to bypass regional content restrictions imposed by its local networks, governments or businesses. Palo Alto Networks released the IPS signature so customers can detect and block ProxyBack traffic. Enterprises should also inspect and analyze outbound network traffic for suspicious addresses and to ensure the traffic is being generated by a legitimate user instead of malware.

Next Steps

Learn how to stop phishing attacks that use proxy programs

Find out how to block malicious proxy attacks

Learn about the difference between a drive-by login and a drive-by download attack

This was last published in May 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

Antimalware tools and techniques security pros need right now

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your experience with network proxy malware?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close