Search in HRJ Tricks

Related Posts Plugin for WordPress, Blogger...

Friday, October 19, 2012

Russian Web proxy with backdoors, Distributing malware

_originalAntivirus company Symantec has detected a malicious campaign in which hackers managed to deceive thousands of people allegedly signed by a paid proxy service. They expose that hundreds of thousands of users signing up for a cheap and supposedly legitimate proxy service have ended up downloading malware and being ensnared into a botnet...

Three months ago, Symantec researchers started an investigation into a piece of malware called Backdoor.Proxybox that has been known since 2010, but has shown increasing activity recently.

"The malware is Backdoor.Proxybox, and our investigation has revealed an entire black hat operation, giving us interesting information on the operation and size of this botnet, and leading us to information that may identify the actual malware author," Symantec.

The service - ProxyBox - supposedly provides access to its entire list of thousands of proxies for only $40 a month, which is obviously too cheap a price for the provider to break even.

The malware is a Trojan program with rootkit functionality that transforms the computer into a proxy server. The rootkit component uses a novel technique to prevent access to the malware's other files and increase the malware's persistence on the system

However, the most interesting aspect of this attack is how the infected computers are actually used by the attackers. Botnets are one of the main tools used by cybercriminals because they are versatile. They can be used to send email spam, launch distributed denial-of-service attacks, solve CAPTCHA challenges on websites, perform online banking fraud or click fraud and many other activities.

In this particular case, the botnet's operators are using it to power a commercial proxy service called Because they can hide a user's real IP (Internet Protocol) address, proxy servers are commonly used to evade online censorship attempts, bypass region-based content access restrictions or, in many cases, engage in various illegal actions.

"Command-and-control server monitoring over the last few months has suggested that the botnet controller tries to keep the size around 40,000 active users online at any time. The controller has used several mediums for distribution, including Blackhole Web exploits,"

According to the Proxybox website, for $25 a month, customers can get access to 150 proxy servers from the countries they desire, while for $40 they can get access to an unlimited number of proxies. The service operators promise not to keep any access logs, which makes these servers perfect for criminal use because there will be no logs for authorities to request and review.

Backdoor.Proxybox Step-by-Step Manual Removal Instructions : 
Step1. Press CTRL+ALT+DELETE to open the Windows Task Manager. Then stop all processes.
Step2. Click on the Processes tab, search for Trojan Defiler G then right-click it and select End Process key.
Step3. Click Start button and select Run. Type regedit into the box and click OK to proceed. Once the Registry Editor is open, search for the registry keys and Delete them.
Step4. Search for infected files and delete it manually.

Associated files and registry entries that need to be removed are list as followings:
  • %CommonAppData%\.random
  • %Temp%\random.tlb
  • %System%\drivers\random.sys
  • %System%\random.exe
  • %System%\random.dll
  • %Windows%\system32\[random].exe
  • C:\Users\[User Name]\AppData\Roaming\[random]
  • c:\Users\[User Name]\AppData\Local\Temp\[random]
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_19AB4\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_74BA50F462E26657
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_74BA50F462E26657\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\74ba50f462e26657
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_19AB4\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_74BA50F462E26657
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_74BA50F462E26657\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\74ba50f462e26657
Manual removal is the most effective and thoroughly way to get rid of this annoying threat Backdoor.Proxybox if you possess good knowledge of computer.


  1. Woah! I'm really digging the template/theme of this site. It's simple, yet effective.
    A lot of times it's very hard to get that "perfect balance" between usability and appearance. I must say you've done a superb job with this.

    In addition, the blog loads extremely fast for me on Opera.
    Superb Blog!

    Stop by my website tarot reading free online
    my webpage :: you have to see this

  2. The best thing about the Super - Antispyware is that it will not slow dowan the
    processing speed of your computer. 117 (freedom to use, archive, re-sale, and backup).

    SUPERAntti - Spyware: Super - Anti - Spyware is best antimalware
    software that provides optimum protection to
    your computer from the deadly malware infections.

    Alsoo visit my web blog; malware removal windows