Palo Alto Networks researchers have discovered a malware family, dubbed ProxyBack, that somehow transforms infected systems into Internet proxies. How does this ProxyBack malware work, and what is the purpose of turning victims' systems into anonymous Internet proxies?
Using a proxy can help an individual protect her privacy, much like using TOR, and Internet proxies can also be used to obfuscate the true source of an attack. One of the difficult aspects of using Source IP addresses in attack attribution is that the source IP could be a proxy or it might be a compromised system being used as a proxy. This challenge has been around as long as the Internet has existed and is not new. Attackers know this and frequently use it to their advantage in an attack. Malware authors have even started to incorporate this functionality into malware.
Palo Alto doesn't specify how the malware gets on the endpoint, but it could get installed via a drive-by download or any number of other ways. The ProxyBack malware first registers itself with a central system, where it sets up the bidirectional connection necessary to provide the network proxy service. This setup and the network traffic from the proxy service can be detected using the indicators of compromise that Palo Alto released in its report.
It appears that the specific purpose of the ProxyBack malware is to provide anonymous Internet proxies for a Russian proxy service. This could allow an attacker to obfuscate the source of an attack, or for an individual to use the proxy exit node to bypass regional content restrictions imposed by its local networks, governments or businesses. Palo Alto Networks released the IPS signature so customers can detect and block ProxyBack traffic. Enterprises should also inspect and analyze outbound network traffic for suspicious addresses and to ensure the traffic is being generated by a legitimate user instead of malware.
Learn how to stop phishing attacks that use proxy programs
Find out how to block malicious proxy attacks
Learn about the difference between a drive-by login and a drive-by download attack