Monday 15 October 2012

Proxy service infects users

Here’s a fun fact: Not all cybersecurity services are equal.  Some might offer great monthly rates, but terrible bandwidth. Others might seem fast, but cost an arm and a leg. Still others might infect you with malware and turn your computer into a digital zombie.

That’s exactly what happened to hundreds of thousands of users subscribed to the Russian proxy service ProxyBox.

For the uninitiated, proxy services, like VPNs, allow users to connect to the internet through servers that assign a new IP address and location to the user. Unlike VPNs, proxy servers hardly encrypt anything and operate on speeds comparable to the United States Postal Service.

Anyhow, this particular site charged users $40/month for access to an extensive list of proxy servers all over the world. Not a bad deal for access to thousands of servers. The catch, though, is your computer is immediately enlisted in a botnet army using a Trojan called Backdoor.Proxybox.

As security company Symantec investigated the malware, researchers discovered it was also tied to three other websites, but all linked to one user.

The advertisements by this user provide a link between four dubious websites, all authored by the same individual: an entrepreneurial Russian hacker. These websites all revolve around proxies and malware distribution. One website provides proxy access (, another provides VPN services (, one provides private antivirus scanning (, and one provides proxy testing services ( These four sites are also connected by static cross-linking advertisements. The author of these websites provides the same ICQ support number to the users of the Web services. Several of these websites offer services for money and the payment gateways used are always the same: WebMoney, Liberty Reserve, and RoboKassa. 
We started to look into the payment accounts associated with these websites, and found out that they were tied to an individual with a Ukrainian name living in Russia. The additional details associated with this WebMoney account are undisclosed as we work with law enforcement in countries associated with the command-and-control servers.

1 comment:

  1. This comment has been removed by a blog administrator.