Malware proxy server
As discussed in an earlier post (When You Can’t Tell Good From Bad), it is not always possible to categorize IT security threats in order to successfully prevent the injection of malware into an organization. Let’s examine a prime example of how malware can evade successful categorization and, therefore, detection: the nonconsensual deployment of proxy servers.
Malware often installs a network proxy on the victim’s machine to allow attackers to relay Internet traffic through the victims computer so that the origin of the traffic would remains unknown and attackers are able to bypass various filtering mechanism. This concept of malware infecting machines with open proxies used for nefarious activities is not new. Already back in 2007, the well-documented case of the Storm bot network showed the world how millions of infected host computers were used as proxies to send billions of spam emails, without revealing the location of the botnet’s C&C center. This type of remote spamming is very difficult to detect because of its distributed nature and the fact that the messages are seen as originating from so many “innocent” computers and networks. The Storm botnet was more powerful than all of the world’s top supercomputers of that time, combined (source: InformationWeek).
While Storm targeted Windows-based machines, a similar – and much more recent – example targeted Linux and BSD servers. Though generally more secure than Windows computers, these UNIX servers were compromised via a backdoor vulnerability that turned each infected server into a zombie relay for spam email. Dubbed Mumblehard by the ESET researchers who discovered it in April 2015, this Trojan-based botnet was able to operate undetected for over five years (source: Linux Journal).
ProxyBack – The Latest Generation of Malware Proxies
One of the challenges faced by attackers attempting to use non-legitimate proxy servers is the fact that most corporate firewalls (or other network-based system defenses) block incoming connections that the C&C server would typically utilize to deliver operational instructions and content to the zombie proxies.
In December 2015, security researchers at Palo Alto Networks discovered a botnet utilizing more advanced malware running on infected machines behind corporate firewalls, dubbed ProxyBack. Present in the wild since as far back as March 2014, this malware circumvents firewall defenses by initiating the TCP traffic to the C&C server (source: Palo Alto Networks). Since these are outgoing connections that appear to firewalls as standard and legitimate HTTP traffic, they are like a wolf in sheep’s clothing: firewalls allow the initial connections to occur and the subsequent bi-directional traffic to flow unimpeded. Once these initial connections to the external server are made, the roles actually reverse, and the client then becomes a proxy for the server. ProxyBack thus enables its zombies to receive their instructions and send their nefarious network traffic across the network, unhindered.
It is important to note that network firewalls are useless in this type of situation, because their ability to enforce the client and server locations on the network level is meaningless (As noted by the at Palo Alto researchers, the specific ProxyBack attack can be easily detected now that it has been analyzed, because the malware uses “pb” as its User-Agent header string instead of a standard browser User-Agent header, but this is a trivial loophole for attackers to fix).
Isolation is the Only Solution
Firewalls and other network-layer defenses (such as proxy servers) are unable to differentiate between traffic from normal Web browsers and malicious, proxy-originated traffic, unless the traffic’s destination is already known to be malicious. In other words, malware detection by categorization is not a reliable solution. To complement and enhance categorization, many vendors offer real-time intelligence and risk rating capabilities. But even these so-called “advanced capabilities” are reactive in nature and are no match to the high volume of short-lived dynamic domains added daily which allow cyber criminals to bypass security measures (source: BlueCoat).
The only comprehensive defense to malware proxy (and similar) attacks is to isolate the malware both by preventing it from ever infecting the target machine and by going deeper than the network layer, into the application layer – to validate that outbound network traffic is originating from a real Web browser being used by a real user.