Use Windows? You might be part of a malicious proxy network
A malware was adding Windows devices to a botnet
Your computer may be part of a major proxy service without you even knowing. To make matters worse, someone out there is getting paid to offer these IP addresses, and the bandwidth, to their customers.
These are the findings of AT&T Alien Labs, published earlier this week. As reported by BleepingComputer, a threat actor created a piece of malware and distributed it through game cracks and other illegal software.
The malware silently downloads and installs a proxy application, without user knowledge or consent. Antivirus programs weren’t flagging the proxy application as malicious, either.
Hundreds of thousands of victims
When the installation is complete, the infected endpoint becomes part of a proxy network which the malware’s operators then sold as a proxy service to its clients and customers. Apparently, more than 400,000 Windows systems were compromised this way.
To make matters worse, the company behind the botnet claims that all of the victims gave their consent, and willingly became part of the proxy infrastructure. However, researchers at Alien Labs beg to differ:
"Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems."
They added, “as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While we don’t know the name of the threat actors behind the campaign, the researchers said it’s almost identical to an earlier campaign targeting macOS systems. In that campaign, a malware named AdLoad was being distributed.
To double-check whether your device was compromised, AT&T’s researcher says users should look for a “Digital Pulse” executable located at "%AppData%\", or a similar Registry key found in "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\." and remove it.
- These are the best malware removal tools right now
Via: BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.