Share this article on:
Breaking news and updates daily. Subscribe to our Newsletter
Researchers have uncovered a massive malware campaign that has created a botnet out of 400,000 infected machines.
According to AT&T’s cyber security blog, malware writers are taking advantage of what appears to be a paid, opt-in proxy service, but without the opt-in part.
The malware is properly signed, so it skirts around antivirus protection, and it has disabled the usual pop-up that asks if users wish to go ahead with installation or not. The proxies are also being delivered by a raft of different malware types and are probably spread by users looking for cracked versions of games and popular software.
“After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application,” said researchers at AT&T’s Alien Labs. “This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements.”
The set-up file creates two executables, one to communicate with the proxy’s command and control infrastructure and another to check for and download updated proxy applications. Persistence is maintained by creating a registry key and a scheduled task in Windows.
The proxy itself gathers a large amount of unique data from the host machine, including what processes are running and monitoring CPU usage.
What’s particularly troubling is that the paid service is making money from traffic moving through the proxy network.
“The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics,” said the Alien Labs team in a blog post.
“These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorised financial gains.”
Comments powered by CComment