Palo Alto Networks researchers have discovered a malware family, dubbed ProxyBack, that somehow transforms infected systems into Internet proxies. How does this ProxyBack malware work, and what is the purpose of turning victims' systems into anonymous Internet proxies?
Using a proxy can help an individual protect her privacy, much like using TOR, and Internet proxies can also be used to obfuscate the true source of an attack. One of the difficult aspects of using Source IP addresses in attack attribution is that the source IP could be a proxy or it might be a compromised system being used as a proxy. This challenge has been around as long as the Internet has existed and is not new. Attackers know this and frequently use it to their advantage in an attack. Malware authors have even started to incorporate this functionality into malware.
Palo Alto doesn't specify how the malware gets on the endpoint, but it could get installed via a drive-by download or any number of other ways. The ProxyBack malware first registers itself with a central system, where it sets up the bidirectional connection necessary to provide the network proxy service. This setup and the network traffic from the proxy service can be detected using the indicators of compromise that Palo Alto released in its report.
It appears that the specific purpose of the ProxyBack malware is to provide anonymous Internet proxies for a Russian proxy service. This could allow an attacker to obfuscate the source of an attack, or for an individual to use the proxy exit node to bypass regional content restrictions imposed by its local networks, governments or businesses. Palo Alto Networks released the IPS signature so customers can detect and block ProxyBack traffic. Enterprises should also inspect and analyze outbound network traffic for suspicious addresses and to ensure the traffic is being generated by a legitimate user instead of malware.
Learn how to stop phishing attacks that use proxy programs
Find out how to block malicious proxy attacks
Learn about the difference between a drive-by login and a drive-by download attack
Related Q&A from Nick Lewis
Several vulnerabilities were found in Western Digital's My Cloud, including one that affects the default hardcoded password. Learn how to avoid such ... Continue Reading
Malicious files posing as legitimate ionCube files were recently found by WordPress and Joomla admins. Learn how the ionCube malware works with ... Continue Reading
Ploutus.D malware recently started popping up in the U.S. after several ATM jackpotting attacks. Discover how this is possible and what banks can do ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.