Experts Analyze Backdoor.Proxybox Malware, Attempt to Identify Mastermind

Each year hundreds of thousands of Internet users fall victim to the Backdoor.Proxybox malware. That is why Symantec experts have decided to thoroughly investigate the operation and the botnet that powers it.

They have found that although the Russian Proxybox service (proxybox.name) appears to be a legitimate proxy service, in reality, it hides a massive malicious campaign.

One of the first clues that revealed the service’s true purpose was the fact that the Proxybox offered access to its entire list of proxies – which sums up to thousands – for a measly price of $40 (31 EUR) per month.

An advertisement for the proxy service showed a link between four websites, specialized in proxies and malware distribution, all of them being operated by the same Russian cybercriminal.

The connection between the sites - vpnlab.ru, avcheck.ru, proxybox.name and whoer.net – is represented by static cross-linking advertisements, the same ICQ support number, and the same types of payment gateways.

After analyzing these payment accounts, researchers were led to a Ukrainian individual residing in Russia. For now, Symantec hasn’t provided any other details on the hacker’s identity because law enforcement is currently investigating the case.

As far as the actual Backdoor.Proxybox malware is concerned, experts found that the threat – first identified back in 2010 – comprises three main components: a rootkit, a payload and a dropper.

When the victim boots up the infected computer, the payload - responsible for turning the infected machine into a zombie - contacts its command and control server, whose address is hard-coded, and configures itself.

It appears that the controller is trying to ensure that the botnet’s size is kept at 40,000. In order to maintain this size, several mediums are utilized to distribute the malware, including some BlackHole web exploits.

The proxybox.name website is actually used to sell access to the botnet, the site being advertised on several underground forums specialized in commercializing exploits, malware and other malicious services.