Antivirus company Symantec has detected a malicious campaign in which hackers managed to deceive thousands of people allegedly signed by a paid proxy service. They expose that hundreds of thousands of users signing up for a cheap and supposedly legitimate proxy service have ended up downloading malware and being ensnared into a botnet.

Three months ago, Symantec researchers started an investigation into a piece of malware called Backdoor.Proxybox that has been known since 2010, but has shown increasing activity recently.

"The malware is Backdoor.Proxybox, and our investigation has revealed an entire black hat operation, giving us interesting information on the operation and size of this botnet, and leading us to information that may identify the actual malware author," Symantec.

The service - ProxyBox - supposedly provides access to its entire list of thousands of proxies for only $40 a month, which is obviously too cheap a price for the provider to break even.

The malware is a Trojan program with rootkit functionality that transforms the computer into a proxy server. The rootkit component uses a novel technique to prevent access to the malware's other files and increase the malware's persistence on the system

However, the most interesting aspect of this attack is how the infected computers are actually used by the attackers. Botnets are one of the main tools used by cybercriminals because they are versatile. They can be used to send email spam, launch distributed denial-of-service attacks, solve CAPTCHA challenges on websites, perform online banking fraud or click fraud and many other activities.

In this particular case, the botnet's operators are using it to power a commercial proxy service called Because they can hide a user's real IP (Internet Protocol) address, proxy servers are commonly used to evade online censorship attempts, bypass region-based content access restrictions or, in many cases, engage in various illegal actions.
The Hacker News

"Command-and-control server monitoring over the last few months has suggested that the botnet controller tries to keep the size around 40,000 active users online at any time. The controller has used several mediums for distribution, including Blackhole Web exploits,"

According to the Proxybox website, for $25 a month, customers can get access to 150 proxy servers from the countries they desire, while for $40 they can get access to an unlimited number of proxies. The service operators promise not to keep any access logs, which makes these servers perfect for criminal use because there will be no logs for authorities to request and review.

Backdoor.Proxybox Step-by-Step Manual Removal Instructions :
Step1. Press CTRL+ALT+DELETE to open the Windows Task Manager. Then stop all processes.
Step2. Click on the Processes tab, search for Trojan Defiler G then right-click it and select End Process key.
Step3. Click Start button and select Run. Type regedit into the box and click OK to proceed. Once the Registry Editor is open, search for the registry keys and Delete them.
Step4. Search for infected files and delete it manually.

Associated files and registry entries that need to be removed are list as followings:
  • %CommonAppData%\.random
  • %Temp%\random.tlb
  • %System%\drivers\random.sys
  • %System%\random.exe
  • %System%\random.dll
  • %Windows%\system32\[random].exe
  • C:\Users\[User Name]\AppData\Roaming\[random]
  • c:\Users\[User Name]\AppData\Local\Temp\[random]
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_19AB4\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_74BA50F462E26657
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_74BA50F462E26657\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\74ba50f462e26657
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_19AB4\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_74BA50F462E26657
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_74BA50F462E26657\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\74ba50f462e26657
Manual removal is the most effective and thoroughly way to get rid of this annoying threat Backdoor.Proxybox if you possess good knowledge of computer.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.