As discussed in an earlier post (When You Can’t Tell Good From Bad), it is not always possible to categorize IT security threats in order to successfully prevent the injection of malware into an organization. Let’s examine a prime example of how malware can evade successful categorization and, therefore, detection: the nonconsensual deployment of proxy servers.
Malware Proxies
Malware often installs a network proxy on the victim’s machine to allow attackers to relay Internet traffic through the victim’s computer so that the origin of the traffic would remain unknown and attackers are able to bypass various filtering mechanism. This concept of malware infecting machines with open proxies used for nefarious activities is not new. Already back in 2007, the well-documented case of the Storm bot network showed the world how millions of infected host computers were used as proxies to send billions of spam emails, without revealing the location of the botnet’s C&C center. This type of remote spamming is very difficult to detect because of its distributed nature and the fact that the messages are seen as originating from so many “innocent” computers and networks. The Storm botnet was more powerful than all of the world’s top supercomputers of that time, combined (source:InformationWeek).
While Storm targeted Windows-based machines, a similar – and much more recent – example targeted Linux and BSD servers. Though generally more secure than Windows computers, these UNIX servers were compromised via a backdoor vulnerability that turned each infected server into a zombie relay for spam email. Dubbed Mumblehard by the ESET researchers who discovered it in April 2015, this Trojan-based botnet was able to operate undetected for over five years (source: Linux Journal).
ProxyBack – The Latest Generation of Malware Proxies
One of the challenges faced by attackers attempting to use non-legitimate proxy servers is the fact that most corporate firewalls (or other network-based system defenses) block incoming connections that the C&C server would typically utilize to deliver operational instructions and content to the zombie proxies.
In December 2015, security researchers at Palo Alto Networks discovered a botnet utilizing more advanced malware running on infected machines behind corporate firewalls, dubbed ProxyBack. Present in the wild since as far back as March 2014, this malware circumvents firewall defenses by initiating the TCP traffic to the C&C server (source: Palo Alto Networks). Since these are outgoing connections that appear to firewalls as standard and legitimate HTTP traffic, they are like a wolf in sheep’s clothing: firewalls allow the initial connections to occur and the subsequent bi-directional traffic to flow unimpeded. Once these initial connections to the external server are made, the roles actually reverse, and the client then becomes a proxy for the server. ProxyBack thus enables its zombies to receive their instructions and send their nefarious network traffic across the network, unhindered.
It is important to note that network firewalls are useless in this type of situation, because their ability to enforce the client and server locations on the network level is meaningless (As noted by the at Palo Alto researchers, the specific ProxyBack attack can be easily detected now that it has been analyzed, because the malware uses “pb” as its User-Agent header string instead of a standard browser User-Agent header, but this is a trivial loophole for attackers to fix).
Isolation is the Solution to Proxy Server Attacks
Firewalls and other network-layer defenses (such as proxy servers) are challenged with differentiating between traffic from normal Web browsers and malicious, proxy-originated traffic, unless the traffic’s destination is already known to be malicious. In other words, malware detection by categorization is not foolproof. To complement and enhance categorization, Symantec offers real-time intelligence and risk rating capabilities. However, millions of new URLs are created daily and live for only 24 hours - these URLs cannot be effectively categorized because they have no meaningful history. While some short-lived sites are legitimate, Cyber criminals often use these one-day wonder dynamic domains to bypass advanced malware detection methods.
To enhance their malware detection solutions, enterprises can deploy Web Isolation to prevent malware from uncategorized and known risky sites from infecting target machines and for going deeper than the network layer, into the application layer – to validate that outbound network traffic is originating from a real web browser being used by a real user. For details on Symantec Web Isolation, download our data sheet.