ProxyBack technical analysis: can turn your computer into a proxy server malware

ProxyBack technical analysis: can turn your computer into a proxy server malware

On the Internet, anonymous proxy plays an important role in protecting personal privacy. However, when someone turns their system into a proxy server without permission, their situation is dangerous.

Palo Alto Networks researchers have discovered a family of malware called ProxyBack and discovered that since March 2014, more than 20 versions of malware in this family have infected user systems.

Through the Palo Alto network, we can see that the main target of ProxyBack infection is education institutions in Europe.

 

 

Figure 1: ProxyBack distribution chart

In this report, we will go deep into the behavior of the most recent ProxyBack sample, using this proxy service to study how it builds a victim proxy and analyzes its traffic.

??ProxyBack malware??

As an effective proxy, network traffic must flow smoothly through the proxy. In typical settings, this function can be implemented by specifying to allow the proxy system to receive traffic on the network socket, and then forwarding the network traffic as its own traffic.

 

Figure 2: Classic proxy settings

The problem with illegal proxy is that network traffic is destined to reach the proxy server. However, this proxy server is a damaged system, therefore, network traffic is usually unable to reach the firewall or other network-based restrictions.

 

Figure 3: Typical settings of the company firewall to prevent users from accessing the victim proxy

ProxyBack overcomes this obstacle by establishing a reverse tunnel over TCP to connect to the proxy server controlled by attackers. In other words, it has a victim proxy that was originally called a home, allowing the proxy server to send traffic over the Internet or to internal devices on other networks through tunnels.

 

Figure 4: The victim agent establishes a tunnel connected to a hacker-controlled service

1. The victim proxy creates a hole in the firewall by establishing a TCP connection with the hacker-controlled proxy server.

2. the proxy server verifies that it can access the victim proxy and route traffic to the Internet through the victim proxy.

3. the proxy server user can now route traffic out through a hacker-controlled proxy and end any verified victim proxy.

4. The victim proxy does not want to route web traffic to the Internet.

??ProxyBack Analysis??

To establish this tunnel, ProxyBack will first establish a connection to a PHP file on the web server, which contains the URL of another PHP file on the same server. The subsequent PHP file will send commands to the original web server through malware, and extract the information used to set the proxy. It is observed that each GET request method since the beginning of 2014 contains a User-Agent field with a string of "pb", which looks insignificant.

 

 

Figure 5: User-Agent "pb"

The first parameter of the "command" variable is "getip", which is used to retrieve the public ip address of the victim proxy.

 

Figure 6: "command = getip"

The second parameter of the "command" variable is "getid", which is used to retrieve the ID of the victim proxy, which will be used in subsequent commands to track the victim proxy. According to preliminary assessment, the number of IDS has increased to 11149 so far, which means there may be 11149 machines infected with the victim's proxy machine.

 

Figure 7: "command = getid"

The third parameter of the "command" variable is "ghl", which is used to receive base64-encoded URLs. This URL points to a PHP file, which contains the URL pointing to another PHP file. However, this subsequent URL does not appear during the analysis.

 

Figure 8: "command = ghl"

The fourth parameter of the "command" variable is "dl", which receives the base64 encoded string "fA =" to separate Subsequent commands.

 

Figure 9: "command = dl"

The fifth parameter of the "command" variable is "version", which is changed during the analysis. At first, the URL contains the ID of the victim proxy. The variable "version" is provided through the "command" parameter. Now, the URL contains the version information of the running malware, the victim proxy ID, and the target operating system information.

 

Figure 10: Old parameter "command = version"

 

Figure 11: The new parameter "command = version" with the current system version information

In addition, ProxyBack can report the version of the operating system, which indicates that it can run in these operating systems.

 

Figure 12: Operating System

The Fifth command returns the same version information. The "version" variable receives a base64 encoded string that contains the version number of the malware and the URL pointing to the version, separated by the previously retrieved string. Another change is in the previous format: 17.exe ", 20.exe", and ike41.exerespectively. on the contrary, in April November 2015, "on" and "skyjfasters [.] com", sky2.1.exe "was created ".

 

Figure 13: Old "command = version" response

 

Figure 14: New "command = version" response

 

Figure 15: New "command = version" response

At this point, if the malware version runs away from the version returned before the program, it uses the GET Request Method to download the version provided in the output variable "version. Then, the program restarts, but the previously assigned ID value must be kept.

 

Figure 16: Download a new version

The following variable is "getbackconnect", which is assigned to the "command" parameter. Used to obtain the IP address and port number of the remote operating system, and use this information to establish a reverse connection tunnel on the victim proxy.

 

Figure 17: "command = getbackconnect"

Once the ProxyBack malware obtains this information, it starts to establish this TCP session. For this special sample, the session port number is "495". After the TCP handshake is complete, a series of PSHACK flag Packages containing additional data are sent back to control the following process.

The first packet in this series is sent from the victim proxy to the malicious proxy server, which contains a serial number followed by an empty byte, followed by two bytes as the separator for the remaining data.

 

Figure 18: sequence 1, initial PSHACK package

The proxy server responds to the next packet reported by this sequence to inform the malicious software of which IP address and port should be passed as a variable to the next GET Request Method sent to the original server. The last two bytes tell the malware which socket opens the TCP connection to transmit data through the TCP tunnel.

 

Figure 19 sequence 2, 0x2EA5DED4 = 46.165.222.212, 0x13FC = 5116, 0x13FC = 5114

Now, ProxyBack assigns the variable "update2" to the "command" parameter and carries additional data received from PSHACK. The Web server simply returns "OK ".

 

Figure 20: "command = update2"

The next PSHACK package of this series of PSHACK packets is sent to the victim service and the malware is notified to create a TCP session on the additional port provided by the second sequence of the PSHACK package.

 

Figure 21: sequence 3, stop, and enumeration

 

Figure 22: enumeration Port

The victim proxy sends the fourth PSHACK packet to inform the proxy server that it is ready to continue the new port.

 

Figure 23: sequence 4, continuous

Similar to the first package of the PSHACK sequence, the proxy server uses a separator to initialize sessions for subsequent commands.

 

Figure 24: sequence 5, new Separator

In addition, it is worth noting that the value after the serial number is 0 × 02. This seems to indicate the additional commands followed by this phase, or the expected number of packages. The response returned by the victim proxy is 0 × 0500, and then the proxy server sends the final packet in this sequence. This packet contains the IP address and target port number, proxyBack malware will use this IP address and port number to open a TCP session.

 

Figure 25 sequence 5, 0xbc731663 = 188.116.23.99, 0 × 0050 = 80

 

Figure 26: three handshakes completed

After the handshake is complete, the victim proxy notifies the proxy server to act as the source IP address and source port of the last PSHACK packet in sequence 5 of the three handshakes. As the final verification step, the proxy server establishes a TCP/5114 method in the tunnel to send a GET request, and then the victim proxy can forward the traffic.

 

Figure 27: Verify the victim proxy

The data returned from 188.116.23.99 is sent back to 46.165.222.212 as the PSHACK package data on TCP/5114. This completes the verification phase. The proxy server IP address and key contained in the URL are of interest. The returned data is a serialized configuration file in PHP format that contains web server information. The variable "secret_string" and configuration file in the URL have not changed since the first sample in December March 2014.

 

Figure 28: returned configuration file

After the verification is complete, the traffic can flow through the victim proxy.

 

Figure 29: traffic flows through the victim proxy

Every 27 minutes, ProxyBack malware on the victim's machine sends the variable "update" to the "command" parameter in the PHP file on the original web server, to determine whether to change the malicious proxy and update the malicious software.

 

Figure 30: Software Update

As the end content of this section, it is a valid command for the new and old versions of ProxyBack malware. During the entire period of observation of malware, neither the "log" nor "update" variables were passed to the "command" parameter.

 

Figure 31: valid commands

?????????

??Conclusion

When the system is infected with ProxyBack, a large amount of traffic will be routed. Obviously, both legal users and malicious users use the SOCKS proxy service. Users using such services should know that their traffic is neither anonymous nor secure.

After review, most of the traffic routed through the victim's proxy comes from the counterfeit account automatically created by the system and directs the customer to the dating website, for example, "farmersonly.com", "match.com", "meetme.com", and "okcupid.com ". Legitimate traffic includes websites such as eBay, Twitter, Craigslist, Facebook, and Wikipedia.

Review the website "buyproxy.ru" we observed during our analysis. This is the only proxy server we have captured. Looking at this traffic, we found that within less than four hours of capturing, there was a getrequest sent to http://buyproxy.ru/proxy/, listing the proxy information of the publisher.

 

Figure 32: network resources containing the victim Proxy Information

Interestingly, the reverse PTR record of our victim proxy is shown in the sixth column, while the second column shows users that may have been connected to the malicious proxy server.

 

Figure 33: proxy server "185.72.244.171"

In buyproxy [.] in the Q & a area of the ru site website, they declared that they had been engaged in business for more than seven years and only provided private agents. On average, the agent volume is 700-3000 per day, and the agent usually only exists within 4-24 hours, you do not need to log on. They use a background proxy. This proxy uses a shared IP address to connect, but will assign an IP address to exit the connection. In addition, on their home page, they boast that their connections are encrypted and use proprietary traffic tunnels.

The logon page of this website provides three proxy options:

1. "Private proxy"-supported by "buyproxy [.] ru" 2. "Public proxy list"-Public proxy 3. "Personal proxies"-delegate to buyer agent

 

Figure 34: "buyproxy [.] ru" Main Menu

On the "Private proxy" page, we found that our victim proxy is located in the United States, and the most prominent yellow entry is the entrance. This feature is the same as our victim proxy. The IP addresses listed above do not match the domain name, which may imply that they are also victim proxies.

 

Figure 35: Victim proxy

Whether or not the people behind "buyproxy [.] ru" are responsible for the distribution of ProxyBack malware, it is obvious that ProxyBack is designed to use their services.

The ProxyBack network has released IPS signature 14864 to detect and block ProxyBack traffic.

??Proxy service IPs??

5.9.212.535.79.85.21246.38.51.4946.165.193.6746.165.222.21246.165.223.19362.75.255.5269.64.32.11085.17.30.8991.121.193.5091.185.215.13793.189.40.16493.189.42.993.189.42.43104.238.173.238108.59.9.15185.72.244.171185.72.246.23194.247.12.11194.247.12.49213.229.102.157217.172.179.88

??User-Agents??

Pb

??Mutex lock??

PB_MAIN_MUTEX_GL_63785462387PB_SCH_MUTEX_GL_A58B78398f17PB_SN_MUTEX_GL_F348B3A2387

??Web Server??

bugertwist[.]com/vb.phpbugertwist[.]com/memb.phpcreativanalyticks[.]com/va.phpcreativanalyticks[.]com/spool.phpczonainsit4e[.]com/ocfg.phpdepasistat[.]com/home.phpdrythisworld[.]com/main.phphclickmeterg[.]com/solomon.phpheljeanvos[.]com/q.phpheljeanvos.com/eome.phpiholpforyou4[.]com/d_index.phplancer-moto[.]com/cfg.phpmarkovqwesta[.]com/que.phpmasyaget[.]com/dse.phpmasyaget.com/wed.phpmintoolses[.]com/mint.comnsit4esite[.]com/faq.phpnsit4esite[.]com/mod_rw.phppapausafr[.]com/psin.phppllsest2[.]com/pils.phpqforumjail[.]com/faq.phprobjertovines[.]com/sta.phpsinglearthousse[.]com/ocfg.phpskyjfasters[.]com/do.phpsolocoufandle[.]com/md.phpsweedfolz[.]com/list.phptexasgodchang[.]com/teh.phptruedonell[.]com/fa.phpuarushelp[.]com/fix.phpxclotusm[.]com/go.phplittlepartygodd[.]com (not yet used)solognomwedgt[.]com (not yet used)

??HTTP command??

php?command=getidphp?command=getipphp?command=update&id=php?command=update2&id=php?command=version&id=php?command=getbackconnectphp?command=ghl&id=php?command=dl&id=php?command=log&id=

??HTTP string??

BER5w4evtjszw4MBRW

??Sample hash??

938eb65b201ffe2b95b8004d51eea4343ac1c2e5307acf0aabb0e310f33949ce | sof1.8.exeea86ea5ecc8a63db91bd528a78db5e71734be9693dcda860044fbe522a6e1b4b | sof1.7.exe87bc6ae4d46c460c58ac4131ad15e0c8f217e2152efb2c23b23a4d51852abdb9 | sof1.6.exe452511487941bcc6fbc5b3e76859740837df20e86121db9fb5be3f1456a3e653 | sof1.4.exe96b9a8024f5796a610402ac857d318d00951b661c2bc96b91878b3c970c7de14 | 11.exef79059de5345197935581365bc11a25afe8ad77eac82b128068543c2f15ec8fb | 12.exeb74b0d1e68c201047eeb2dfeaf6b7ffc6ff29cccff8e6acbf25f560fff66f36b | 13.exe544269fa321651535bf30e8b07e7a19eb2407e3cc16c121333fa2d9e5ee5d4b2 | 14.exe6ab78fc4263af8e7f76cc66e4d0f610a1990237bd48550c84f7c5b03e79ac5e0 | 15.exe897fa587053e6997288b94ebf3a56f0f5c63053643faf0df48882b69a5788319 | 16.exedb7952c408a62d7bb5747f917db554aa5aff19faa76b80d8ab0c47cb461fe53d | 17.exea74b19b76c0a76d95e48c2c4d230afa7ac490b2aca3f581d6505f227897df7c2 | 20.exe0cccb9d2e2aeef636d32f487bcfb588b6769428554949db1cd30f9f6a01daa43 | 21.exed1bc4e42d818ff751c97e0c5667d03097a7e99f8a98d48bac9ac7394f771346a | 25.exe7fcd05b00d6e37ef765ec10fb23ce9c78114b09b5a99eab957fb65a05df565a7 | 26.exe5c0d8009ca816fc1e5d6c9f9366a678cb947d9ac1e87da76f19103703ce6bb7c | 40.exef5848d197f5fb48fca2b48c54f6a26ff6a84e3576d16dccdece135edd8b7a9e9 | 41.exef310c8e3baebbdee8e80a974608451e6c0292c12fc1e3068ed445fe74c42d882 | 55.exef1485e53403de8c654783ce3e0adf754639542e41c2a89b92843ce8ecdeb4646 | 90.exec550a0730c9cf10751a3236ef57fafb5af844bef3874855a215519a9ffcec348 | 91.exe1b583827e4d010bf7ac0e72fca5158bb03cb84c6db93de198d0ba56b990d1a9f | 1122.exe