Public Proxy Lists – Tracking Malware Distribution

I’ve basically lost count of the number of people who have asked me or ‘suggested’ that using public, free proxies is a good idea for any particular web based project they have in mind. Their justification is usually around well I won’t be using them for any important stuff like email or banking access. It’s of course pretty much irrelevant as the risks are certainly not limited to being stupid enough to login to your Paypal account. The fact that using a hacked free proxy that you stumbled across on some anonymous web page is madness is perhaps well illustrated from this excellent article.

Public open proxy lists have been compiled and published on the Web for over a
decade.  A simple search for “proxy list” will return hundreds of thousands of results
from sites offering “anonymity” and “privacy” for Web surfers, often as a come‐on
for paid, “Elite” services.  The pages of many of these sites list hundreds of Internet
Protocol (IP) addresses and port numbers of hosts across the world.  Individually,
these sites represent a nuisance, but collectively they contain a massive amount of
data that can be leveraged to ascertain and often predict the spread of certain forms
of malware.  With simple tools, it is possible to establish a baseline of known
proxies, monitor the most active sites, and track the spread of new proxies over
time, often with surprising results.  A two and a half year study of proxy lists
demonstrates that evidence of the Koobface worm appeared in these lists months
before press reports of its spread appeared.  It is recommended that the security
community monitor the valuable information these lists contain.

Source: https://www.sans.org/reading-room/whitepapers/malicious/tracking-malware-public-proxy-lists-33604

One of the common misconceptions of these proxy servers is that the majority are just perfectly fine but have simply been accidentally left open by some inexperienced or careless systems administrator. Although there are certainly some of these, there are also a huge number which have been created for a more sinister task. Ever since proxies have become a valuable commodity then malware authors have been using them as as simple and effective distribution mechanism for their programs.

As people thought they were thwarting a firewall rule or bypassing some acceptable use policy in their school or place of employment, they were often performing another role. That is distributing the latest malware around their local connections, often allowing the software a route into a network which was ordinarily blocked. Some of these ‘free proxies’ were even encrypted to enable them to bypass both firewalls but more advanced content filters too. These people would balk at the idea of paying a few bucks to rent a safe, private proxy trial to use and recklessly start using this unknown proxy with absolutely no idea of it’s origins.

In the early days of course, there were many more ‘innocent’ unsecured, open web proxies to got around. Many system administrators where learning as they went along when opening up access to the internet. Much of the original web enabled software would automatically install proxies or open up existing ports during their installation. Often there was very little warning of this happening and suddenly your important application server was routing traffic to a myriad of PCs across the planet. The peak time for this was probably from 1998 to 2005 – the very early days of internet usage where loads of us where learning as we went along.

People started to learn that having hundreds of open ports on their servers which were accessible over the internet was probably a bad idea. Increased security awareness and technical competency started to lock down these sites and there were much fewer of these open proxies around. You can still of course search online and find proxy lists containing hundreds of proxies available completely free of charge. Still thousands of people use these, and still malware authors use them as a handy distribution service for their wares.

    The article listed above mentions five basic categories of abuse that is inflicted using these unsecured proxies. These are as follows:

  • Content Theft – of course, there is a whole host of content just waiting to be siphoned off from unsuspecting users. Many of these are using ‘proxies’ to add security and will therefore sadly be supplying all sorts of usernames and credentials.
  • High Request Rates – proxies are a great tool to break into other servers. The perfect base for high bandwidth using tactics like brute force attacks on weak passwords. Another favorite is implementing click fraud by generating revenue from false clicks and connections.
  • Anonymity – ironically these proxies can be used for anonymity if you know what you’re doing. Many of the early open proxies soon expanded to host private FTP (File Transfer Protocol) and IRC (Internet Relay Chat) sites for groups of hackers and identity thieves.
  • Bulk Data Transfers – data stores or hosts for DDOS attacks. An open web proxy is a great tool for implementing all sorts of illegal attacks if you hide your connection and implicate someone else.
  • Spam – what better to implement some mass spamming project which will inevitably lead to IP blacklisting and lots of legal threats.

Read the article above, it’s a fascinating piece of work and can better illustrate the risks and roles of these ‘free web proxies’.  Many of use here need to use proxies every day and of course they can end up costing quite a bit if you need them in any sort of number.  Those of us who use them to generate income in any way such as SEO or building a sneaker empire should consider them a vital business expense.  Too many people still don’t understand that the risks of using free proxies are incredibly high not just to yourself but the internet in general.

For some decent, well lrun, fast and secure proxies we recommend finding a supplier you trust and staying well away from these dubious sources.  Our favorite proxy companies do change occasionally but there’s one company who has never let us down –

Rotating Proxies

 

 

Leave a Reply