Proxy Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 12 Sep 2024 09:38:04 +0000 en-US hourly 1 https://wordpress.org/?v=88029 200474804 Stopabit Virus https://gridinsoft.com/blogs/stopabit-virus/ https://gridinsoft.com/blogs/stopabit-virus/#respond Tue, 02 Jul 2024 15:29:26 +0000 https://gridinsoft.com/blogs/?p=21197 Stopabit is an unwanted application that has almost no useful functionality. Users can see its promotions as a useful tool for screen time control, but it in fact aims at exploiting the bandwith. This may lead to connectivity issues and illicit traffic being routed through the system. Such applications are commonly distributed through software bundling.… Continue reading Stopabit Virus

The post Stopabit Virus appeared first on Gridinsoft Blog.

]]>
Stopabit is an unwanted application that has almost no useful functionality. Users can see its promotions as a useful tool for screen time control, but it in fact aims at exploiting the bandwith. This may lead to connectivity issues and illicit traffic being routed through the system.

Such applications are commonly distributed through software bundling. This supposes installation along with pirated software, game mods and similar software from questionable sources.

Stopabit Virus Overview

Stopabit is a malicious software that manifests as a process within the Windows Task Manager. It falls into the Potentially Unwanted Applications (PUAs) category, working as proxyware. This means that Stopabit can route third-party traffic through the system it is active in. Aside from this, it pretends to be a convenient tool to schedule short breaks in your PC usage, presumably to take care of your eyes.

Stopabit app desktop
Window of the Stopabit app

Key danger of proxyware is the unauthorized usage of the system’s bandwidth. During the installation, Stopabit says it will monetize using Globalhop SDK. The latter looks legit only on surface: as numerous analyses from well-known security vendors show, this SDK was repeatedly used to route illegal traffic. As gray proxy services are rather popular in the Darknet, it is pretty easy to understand where this traffic comes from.

Similarly to other proxyware apps, Stopabit mainly gets into user devices through pirated software and similar illegal programs like keygens and activators. Sometimes, it can infiltrate systems through fake versions of mods for popular games.

Stopabit Runtime Analysis

To understand how Stopabit works, let’s go through each step of its actions by analyzing one of its samples. Immediately after the installation, it sends the notification to the tray, offering to start using the tool.

Stopabit notification

The interface of the program is pretty ascetic, to say the least. There is only one panel with possible actions; the rest of things that are available from the tray are just EULA, some basic settings and program info. Thing is – all these functions are already present in Windows, as a part of the Focus app.

And well, the main course of Stopabit is its proxyware module. It starts together with the program, and appears to have its own persistence settings. Even when you stop the program from the tray, the corresponding process in the Task Manager keeps running. This means proxy connections will keep operating until you remove the program completely.

Tray Task Manager
Stopabit is present in the Task Manager, after being stopped from system tray

System Reconnaissance

Stopabit tries to gather detailed information about the system by interacting with the Windows Registry, querying running processes, and reading various system configuration settings. It also tries to get information on the installed software, including software policies and cryptographic machine GUID, the OS version, system information, query environment variables, and get the disk size, system language, geographical location, and time zone information.

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles
HKCU\Software\Classes\Local
HKCU\Software\Classes\Local Settings\MuiCache\1F4\52C64B7E\LanguageList

The registry keys include interface and language preferences, application settings, internet connection, session and recovery details, installed applications, internet settings, security certificates, Windows settings, registry values, and security policies.

It also tries to detect virtual machines to hinder analysis by this value

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles

This registry key is related to color management in Windows. The malware understands whether it is in a virtualized environment depending on the response received.

C2 connection

The malware uses secure web protocols (HTTPS) to communicate with its command and control server. This makes detecting malicious traffic an exceptionally hard task, as this blocks the ability to detect it by specific parts. It also transmits data using the following non-standard ports – another anti-detect and anti-sniff feature. All the possible C2 servers are hardcoded into the sample, probably during the compilation.

Stopabit address screenshot
One of the HTTP GET requests sent by Stopabit virus

track.stopabit.com/v1/?c=381B2D6D-3DF2-41A2-8798-9AD14FB5F586&i=ba6361541ad79f7d5bb94c8f8cec972d&e=preinstall&n=Stopabit&v=1.0.2.0
128.140.126.44:32069 (UDP)
a83f:8110:0:0:1400:1400:2800:3800:53 (UDP)
a83f:8110:2800:0:2800:0:1800:0:53 (UDP)

How To Remove Stopabit?

Removing Stopabit almost mandatory involves using anti-malware software. GridinSoft Anti-Malware is a great solution to remove Stopabit and other malware in a few clicks. Manual removal is barely possible, since this application creates numerous backup copies around the disk, that will restore the threat back. This tool will find and delete them all at once.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Stopabit Virus appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/stopabit-virus/feed/ 0 21197
Taskbarify Unwanted Application https://gridinsoft.com/blogs/taskbarify-explained-removal/ https://gridinsoft.com/blogs/taskbarify-explained-removal/#respond Tue, 19 Mar 2024 14:39:37 +0000 https://gridinsoft.com/blogs/?p=20498 Taskbarify is unwanted software (like a Movidown)that claims it is a tiny little Windows tweaker. However, it also turns the device into a proxy server without the user’s knowledge. Let me show you what is so dangerous about this utility, and how to remove it. What is Taskbarify? Taskbarify is a Windows utility classified as… Continue reading Taskbarify Unwanted Application

The post Taskbarify Unwanted Application appeared first on Gridinsoft Blog.

]]>
Taskbarify is unwanted software (like a Movidown)that claims it is a tiny little Windows tweaker. However, it also turns the device into a proxy server without the user’s knowledge. Let me show you what is so dangerous about this utility, and how to remove it.

What is Taskbarify?

Taskbarify is a Windows utility classified as a Potentially Unwanted Application (PUA). As for functionality, officially, this program has one function – changing the appearance of the taskbar. Taskbarify has an “official” website, but most users acquire it unintentionally. The main sources of this app on users’ systems are bundling it with pirated software or displaying it through suspicious banners. This creates one more risk: the appearance of this app may be a sign of numerous other unwanted apps running in the background.

The main reason for Taskbarify categorization as an unwanted program is its proxyware module. In other words, it can use the bandwidth of the victim’s Internet connection to provide proxy server services. This enables the app to intercept network requests, potentially compromising privacy and security. Together with the complicated uninstallation ways, , this all creates a halo of ill fame around the program.

Why is Taskbarify unwanted?

Let’s take a closer look at how this thing works. The official website claims the app is clean as a tear, has no hidden functions, and does not load the system.

App description on the official website screenshot
App description on the official website

However, the license agreement says otherwise. The text states that the program can be a proxy and use your device’s resources, under the said Globalhop SDK. Moreover, this SDK is included in the application installation by default without explicitly disclosing its usage and impacts on the user’s system on a separate prompt.

The license agreement screenshot
The license agreement

The functionality of the exact app is… questionable. Visually, Taskbarify adds transparency to the taskbar, which enhances its look, but that’s it. Promised “spyware uncovering” or “full control” are pretty hard to witness, to be honest. Also, the built-in description (see the screenshots below) lies about the program being available in all regions: by setting the VPN region to Moldova, I’ve managed to make it return a “something went wrong” error.

Suspicious Behavior

The first problem is that the app does not obtain user consent on using traffic. The latter reduces the consumer’s security posture caused by sharing internet resources. Taskbarify reads system certificate settings, security settings of web browsers, and Windows trust settings. The app does not display explicit notification about the potential risks in security posture related to sharing network connection when the app is installed.

Aside from the privacy risks associated with proxyware, the activity of such a module itself may cause issues with bandwidth and system performance. For weak devices, a constant traffic flow may take quite a bit of CPU time, leading to the rest of the applications being laggy and unresponsive. Also, the sheer volume of traffic used by proxyware can turn into significant financial losses for the users of metered connections.

Impossible to Close

Another red flag is the pseudo-closing of an application. If the user finds the application icon in the tray, right-clicking it, and selects “Quit”, the application will disappear. However, by opening the Task Manager , you can see it running in the background without the tray shortcut. This means the application can cease modifying the taskbar’s “core functionality” but continue running as a proxy server in the background.

Taskbarify task manager no tray
Absent in tray, but still present in Task Manager

Difficulties With Removal

Unlike most programs usually installed at “C:\Program Files\”, Taskbarify’s default installation folder is “%AppData%\Local\Programs\”. Since this directory is hidden by default, it virtually eliminates manual removal by the average PC user. Moreover, some users are having trouble uninstalling Taskbarify with the built-in uninstaller, which indicates that the application is trying to avoid removal or recover the app.

Taskbarify uninstall problems
Some difficulties with uninstalling Taskbarify

How To Remove Taskbarify?

It is possible to uninstall Taskbarify manually, but tricky installers may cause problems and revert the uninstallation. Also, as I’ve mentioned in the introduction, this app often comes as a part of a software bundle, and is installed along with numerous other unwanted programs. To get rid of all this in just a couple of clicks, I recommend using GridinSoft Anti-Malware.

Taskbarify Unwanted Application

A Standard scan will be enough. GridinSoft program will check the entirety of the system volume – this is where all the unwanted programs typically reside. Give it time to finish, and your system will be as good as new.

The post Taskbarify Unwanted Application appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/taskbarify-explained-removal/feed/ 0 20498
Socks5Systemz Proxy Service Infects 10,000 Systems Worldwide https://gridinsoft.com/blogs/socks5systemz-proxy-service/ https://gridinsoft.com/blogs/socks5systemz-proxy-service/#respond Tue, 07 Nov 2023 20:44:39 +0000 https://gridinsoft.com/blogs/?p=17509 A proxy botnet, “Socks5Systemz”, uses malware loaders to infiltrate computers across the globe. Attackers have infected about 10,000 devices and organized a full-fledged proxy service based on it. Socks5Systemz Dropper Malware Overview A recent analysis from Bitsight has revealed the existence of a new malware sample called the Socks5Systemz proxy botnet. Although it has been… Continue reading Socks5Systemz Proxy Service Infects 10,000 Systems Worldwide

The post Socks5Systemz Proxy Service Infects 10,000 Systems Worldwide appeared first on Gridinsoft Blog.

]]>
A proxy botnet, “Socks5Systemz”, uses malware loaders to infiltrate computers across the globe. Attackers have infected about 10,000 devices and organized a full-fledged proxy service based on it.

Socks5Systemz Dropper Malware Overview

A recent analysis from Bitsight has revealed the existence of a new malware sample called the Socks5Systemz proxy botnet. Although it has been active since 2016, it has remained unnoticed until now. The primary aim of this malware is to convert the infected devices into traffic-forwarding proxies, enabling malicious, illegal, or anonymous activities.

Threat actors can access this covert service by paying between $1 and $140 in cryptocurrency. Depending on the sum, malware developers offer wider functionality to the user. The Socks5Systemz botnet is typically spread through malware such as PrivateLoader and Amadey, which is commonly propagated through phishing, exploit kits, and malware downloaded from P2P networks.

How does Socks5Systemz Work?

The Proxy Bot Analysis report describes a harmful computer program about 300 KB in size. It creates a specific ID based on the date of the Windows directory on the computer it infects. When it is first run, it saves the current time, downloads a PDF file from a particular website, and saves it to the computer. It then tries to find a way to communicate with a C2 server, which is controlled by the person who created the bot.

If it can’t connect through the method it tries first, it sends an HTTP request to a specific website asking for the IP address of a valid C2 server. Once it connects to a valid C2 server, it can execute various commands, including “idle,” “connect,” “disconnect,” “updips,” and “upduris.” The “connect” command is vital because it allows the bot to become part of a group of available proxies that can be used to forward traffic on behalf of clients.

Expanding the Proxy Network

Experts have mapped a control infrastructure that includes 53 proxy bots, backconnect, DNS, and address acquisition servers. These servers are mainly spread across European countries, such as France, the Netherlands, Sweden, and Bulgaria. Since October, analysts have discovered 10,000 unique communication attempts via port 1074/TCP with the identified backconnect servers, which indicates that there are approximately 10,000 victims.

Overall, the Socks5Systemz proxy botnet has a worldwide impact, with infections observed across the globe. The highest number of infections has been reported in India, the United States, Brazil, Colombia, South Africa, Argentina, and Nigeria. However, the absence of infected systems communicating with backconnect servers in Russia, combined with other clues uncovered during the research, suggests that the operators of this service may be based in Russia.

The Proxy Service

An investigation into the botnet infrastructure revealed a Telegram user named “boost” who shared a screenshot of an account checker tool using the IP addresses of backconnect servers as proxies. This discovery showed that “boost” sells compromised accounts and access to the proxies.
Using a Telegram bot called “BoostyProxy,” “boost” established a complete proxy service. The service offers two subscription options: “Standard” and “VIP.”

Telegram bot to buy proxy screenshot
Telegram bot to buy proxy.

The Standard subscription permits using a single proxy type with no multithreading, while the VIP subscription offers more flexibility, supporting various proxy types (socks4, socks5, and HTTP) and multiple threads. Here are the pricing options for both subscription tiers: Standard starts from $1 for one day with Single Thread and ends at $28 for three months. VIP starts from $22 for one day with 100 Threads and ends at $4000 for three months with 5000 threads. All payments are made using cryptocurrency through the Cryptomus Crypto Payment Gateway.

Protection Against Botnets

The discovery of the Socks5Systemz proxy botnet highlights the ongoing danger that cybercriminals pose to the digital world. This botnet can harm individuals and an entire network of compromised systems, aiding in various types of cybercrime. To keep your systems and network safe from the Socks5Systemz proxy botnet and other similar threats, follow these steps:

  • Use Endpoint Security. Install updated antivirus and anti-malware software to detect and prevent threats.
  • Keep Software Up to Date. Regularly update your operating systems and software applications to patch any vulnerabilities that can be exploited.
  • Boost Network Security. Use intrusion detection and prevention systems to monitor network traffic for suspicious activity. Implement firewalls to prevent unauthorized access to your network and critical assets. Use network segmentation to limit lateral movement within the network in case of a breach.
  • Educate Employees. Teach your employees the risks of clicking suspicious links and downloading attachments from unknown sources. Please encourage them to use strong and unique passwords and enable two-factor authentication.
  • Use Email Filtering. Implement email filtering and phishing detection solutions to block malicious emails. Train employees to recognize phishing attempts and avoid clicking on harmful links.
  • Perform Regular Data Backups. Please back up your data regularly and store it in a secure, isolated environment. Test these procedures to ensure data can be restored quickly in case of an incident.
  • Monitor Network Activity. Continuously monitor your network for any unusual activity or connections that may indicate a compromise.
  • Stay Informed. Subscribe to threat intelligence services to stay informed about emerging threats.

The post Socks5Systemz Proxy Service Infects 10,000 Systems Worldwide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/socks5systemz-proxy-service/feed/ 0 17509
Botnet of 400,000 Devices Used as Proxy Nodes Uncovered https://gridinsoft.com/blogs/botnet-of-400000-devices-proxy/ https://gridinsoft.com/blogs/botnet-of-400000-devices-proxy/#respond Tue, 22 Aug 2023 13:47:44 +0000 https://gridinsoft.com/blogs/?p=16612 Cybercriminals used stealthy malware to create a botnet of 400,000 proxy servers. Although the company providing the proxy services claims that users voluntarily provided their devices, experts believe otherwise. A botnet of 400,000 proxy servers Cybersecurity researchers recently discovered a botnet with more than 400,000 existing proxy nodes. At first glance, the attackers appear as… Continue reading Botnet of 400,000 Devices Used as Proxy Nodes Uncovered

The post Botnet of 400,000 Devices Used as Proxy Nodes Uncovered appeared first on Gridinsoft Blog.

]]>
Cybercriminals used stealthy malware to create a botnet of 400,000 proxy servers. Although the company providing the proxy services claims that users voluntarily provided their devices, experts believe otherwise.

A botnet of 400,000 proxy servers

Cybersecurity researchers recently discovered a botnet with more than 400,000 existing proxy nodes. At first glance, the attackers appear as a legitimate company that offers proxy services. However, such concepts as crooks and honesty are incompatible, as the researchers have proven once again. There is a fact that attackers covertly install malware that introduces proxy capabilities on the infected device.

Proxy installation process
Proxy installation process (source: AT&T)

During the installation of the proxy client, the malware sends specific parameters that are also sent to the management and control server. It continuously collects some information about the infected system, such as process monitoring, CPU usage, RAM usage, and battery status. This is done to optimize performance and responsiveness. However, this is not the only case related to the detected payload. Researchers also tie this service to the malware family called AdLoad, that targets macOS. It is a rare occurrence to see cross-platform malware, but thanks to the choice of Golang as a programming language, it is possible for this tricky proxy.

Well Legal, But Actually Illegal

As I wrote above, scammers illegally distribute software that turns the victim’s device into a proxy server. However, things are not so clear-cut here. Although the site states that users provide their devices voluntarily, no notifications or windows are displayed to the user to accept or decline. Nevertheless, the organization that offers resident proxy services is legitimate, and the application has a valid digital signature. Consequently, Windows antivirus tools do not react to it in any way.

Screenshot with VirusTotal results
VirusTotal Analysis Results (1 detection from 71 vendors)

On the other hand, most of the time, macOS detects samples of this software. In addition, the site that provides proxy services rewards users who have provided their device as a proxy server. But since the attackers organize the entire process, they get all the profits. It is not surprising they have not passed such a scheme.

Spreading methods and impact

Spreading methods is yet another slippery place there. As I mentioned above, the software part that makes the infected system act as a proxy node is inside of the client installation file. You give it a go – and your system becomes yet another element of this 400,000 botnet. However, things are not over with these trojanized installers.

The attackers know many people disable their antivirus software when downloading and installing pirated software. So, by this action, people essentially give the attackers a green light to install malware on their computers. Cracked software can be downloaded from various sources, including torrent websites, file-sharing sites, and even legitimate software download sites. The malware is often hidden in the software installer or in the cracks or keygens that are used to activate pirated software. Apart from pirate sites, the primary source of this malware is advertising. Sometimes unscrupulous authors of freeware programs accidentally or intentionally allow their product to be used as a delivery method.

How to Avoid Sketchy Proxies & Malware?

Stay away from using p2p software sharing sites. Torrent trackers are a breeding ground for malware. If you think that repack authors are selfless, you’re mistaken. If you want to avoid consciously paying the application developer for his labor, you will have to pay the repacker unknowingly. However, the price is too high and can range from leaking your data to irretrievably wiping all your information. So, avoid downloading pirated software and running executables from untrustworthy sources.

Protecting your privacy is essential to using only reputable proxy servers with trustworthy offers. Here are some tips for choosing a reputable proxy server:

  • Read reviews from other users. This is a great way to get an idea of the quality of service you can expect from a particular proxy server provider.
  • Please ensure the proxy server provider has a good reputation. You can read online reviews or by looking for accreditations from reputable organizations to check it.
  • Ask about the proxy server provider’s security features. Make sure they offer features like encryption and authentication to protect your data.
  • Only use proxy servers that are paid for. Free proxy servers are often unreliable and can be used to steal your data.

Use anti-malware software as a preventive measure. Crooks can use malware to steal your personal information, track your online activity, or take control of your computer and join it to the botnet. Reliable anti-malware software can detect and remove malware before it can harm your computer.

Mitigation

The main signs of proxyware infection are Internet speed degradation and frequent communication with unknown IPs or domains. You should remove the “Digital Pulse” executable found at “%AppData%\” and the Registry key on “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\,” as well as the scheduled task called “DigitalPulseUpdateTask“. That’s it when it comes to removing this threat, but I’d recommend protecting yourself against further cases as well.

The post Botnet of 400,000 Devices Used as Proxy Nodes Uncovered appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/botnet-of-400000-devices-proxy/feed/ 0 16612
Proxyjacking: The Latest Cybercriminal Invention In Action https://gridinsoft.com/blogs/what-is-proxyjacking/ https://gridinsoft.com/blogs/what-is-proxyjacking/#respond Fri, 07 Jul 2023 11:51:19 +0000 https://gridinsoft.com/blogs/?p=15729 Today, in the constantly changing world of cyber threats, attackers always look for new ways to get more benefits with less effort. Recently, researchers found an example of this and called it proxyjacking for profit. What is proxyjacking? Proxyjacking is an attacker’s illegal use of a victim’s bandwidth for its own good. The closest related… Continue reading Proxyjacking: The Latest Cybercriminal Invention In Action

The post Proxyjacking: The Latest Cybercriminal Invention In Action appeared first on Gridinsoft Blog.

]]>
Today, in the constantly changing world of cyber threats, attackers always look for new ways to get more benefits with less effort. Recently, researchers found an example of this and called it proxyjacking for profit.

What is proxyjacking?

Proxyjacking is an attacker’s illegal use of a victim’s bandwidth for its own good. The closest related process to proxyjacking is called cryptojacking. It involves an attacker illegally using the victim’s device power to mine cryptocurrency. There is nothing new under the sun, and although proxyjacking has been around for some time, it is only now that attackers have begun to use it so brazenly for profit.

First of all, cybercriminals can use proxy servers to cover their tracks. This makes it difficult to trace their illicit actions back to their origin by routing malicious traffic through multiple peer-to-peer nodes before reaching their final destination. Experts have found that financially motivated criminals actively attack vulnerable SSH servers. They aim to discreetly turn them into a proxy network, which they then rent out to other criminals. Because proxyjacking has little or no effect on overall system stability and usage, it is harder to detect.

Diving into details

Experts discovered these attacks on June 8, 2023, after hackers established multiple SSH connections to honeypots managed by the Security Intelligence Response Team (SIRT). By connecting to one of the vulnerable SSH servers, the hackers deployed a Base64 Bash script that added hacked systems to Honeygain or Peer2Profit. The script also deployed a container, downloading Peer2Profit or Honeygain Docker images and eliminating competitors’ containers, if any were found. In addition, researchers found cryptojacking miners, exploits, and hacking tools used to store the malicious script on the compromised server. In other words, the attackers either switched to proxyjacking or used it to generate additional passive income. Now we’ll explain in detail how it happened.

1. Penetration

By controlling a honeypot, experts could monitor the actions of attackers who used encoded Bash scripts. The attackers utilized a double Base64-encoding technique to obscure their activities. However, the researchers successfully decoded the script and gained insight into the attacker’s proxyjacking methods. Through careful analysis, they could understand the attacker’s intended operations.

Implementation scheme illustration
Implementation scheme

2. Deploying

Thus, the compromised system transforms into a node in the Peer2Profit proxy network. Now it is using the account specified by $PACCT as the affiliate that will benefit from the shared bandwidth. The same was discovered for a Honeygain installation shortly after. The script is designed to be discreet and sturdy, attempting to operate regardless of the software installed on the host system. The script begins by defining a few functions for later use, including a basic curl implementation. This is then used within the second function to download an actual curl version (hosted on the distribution server as “csdark.css”). If curl is not present on the victim host, the attacker downloads it on their behalf, as it is all required for this scheme to work.

3. File analysis

The analysis shows it’s a basic curl version without significant modifications. Nevertheless, it may have additional features, but no evidence of harm exists. However, the ability to look at the source of the artifact explains it was part of a proxyjacking scheme. It emphasizes the importance of identifying all unusual artifacts. Next, the attacker creates a function that moves to a writable and executable location. If no appropriate directory is found, the executable terminates.

Virustotal analysis result screenshot
Virustotal analysis result

4. Eliminating competitors

The script has a final function that sets up the bot. However, this function is commented out in the main script and replaced with possibly more effective code. Most of the action happens in the rest of the code, with some parts redacted. The script starts by checking if its container is already running and then proceeds to kill any rival containers that are also sharing bandwidth. This process is repeated to ensure that no other rival containers are running.

Distribution server

Researchers traced an attack and discovered a compromised web server in Libya that distributed components for attacks. The server had outdated and unmaintained components, including a library called metro-bootstrap. Three files were last modified in 2014, while newer files suggested the server had been compromised. Researchers used `wget -r` to download all files for analysis. The csdark.css file was uploaded, followed by metro-bootstrap.min.xcss, and then vksp, which was later found to be a Linux-specific crypto-miner named perfcc. Analysis revealed that vksp contained a crypto-mining utility, exploits, and hacking tools. That suggests a pivot or supplementing of cryptojacking with proxyjacking. Hosted on the same website, these executables provide proof of actors who will capitalize on this monetization strategy.

Why do they do it?

In this campaign, Peer2Profit and Honeygain were the two P2P proxy monetization schemes discovered. Both have public Docker images with over 1 million downloads. Unfortunately, some potentially unscrupulous companies use these proxies for data collection and advertising, even though they are technically legitimate. Some companies allow users to see precisely how their traffic is being used. While these applications are not inherently harmful and are marketed as voluntary services that offer compensation in exchange for sharing unused internet bandwidth, some companies fail to properly verify the sourcing of the IPs in their network. Sometimes, they even suggest installing the software on work computers, which is risky.

How to avoid proxyjacking?

Initially, a proxy server is perfectly legitimate. Each user is free to provide bandwidth for any purpose. However, if this process occurs without the user’s knowledge, it becomes a cybercrime. Preventing unwanted things is not as difficult as it may seem at first glance. It’s enough to be cautious when using the Internet and adhere to the following recommendations:

  • Use strong passwords. A strong password is the first line of defense. Therefore we recommend using a password generator to create a strong password. Also, you should avoid repeating the same password on different sites.
  • Use two-factor authentication. Suppose your first line of defense is down. In that case, 2FA won’t let the attacker in further because he can’t access the confirmation code.
  • Install all OS and software updates regularly. Software updates are patches for vulnerabilities through which attackers can also infiltrate your device.
  • Use advanced anti-malware solutions. While a basic security tool satisfies most of the average user’s needs, you can use an advanced anti-malware tool. It’s a great addition to the Windows Protector and will protect your device from various attacks.

The post Proxyjacking: The Latest Cybercriminal Invention In Action appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/what-is-proxyjacking/feed/ 0 15729
Reverse Proxy vs Proxy https://gridinsoft.com/blogs/reverse-proxy-vs-proxy/ https://gridinsoft.com/blogs/reverse-proxy-vs-proxy/#respond Fri, 29 Jul 2022 14:07:30 +0000 https://gridinsoft.com/blogs/?p=9754 What is a Reverse Proxy? A reverse proxy is the same server but is in front of a web server. Depending on its configuration, it allows or refuses the external connection to reach the endpoint. Reverse proxies are used to improve security, performance, and reliability. To understand how a reverse proxy works and what benefits… Continue reading Reverse Proxy vs Proxy

The post Reverse Proxy vs Proxy appeared first on Gridinsoft Blog.

]]>
What is a Reverse Proxy?

A reverse proxy is the same server but is in front of a web server. Depending on its configuration, it allows or refuses the external connection to reach the endpoint. Reverse proxies are used to improve security, performance, and reliability. To understand how a reverse proxy works and what benefits it can provide, let’s first remember what a reverse proxy server is.

What is a reverse proxy?
What is a reverse proxy?

Proxy Server Meaning

A direct proxy server, or web proxy, is a server that sits in front of a client’s computer. When this computer sends requests to sites on the Internet, the proxy takes control over these requests. It then communicates with the Web servers on behalf of these clients as an intermediary. Suppose we have three computers participating in a typical direct proxy communication:

  • A: The user’s home computer
  • B: Direct proxy server.
  • C: The source server of the website (the storage location of the website data).

Computer A will talk directly to computer C in a standard Internet connection. That is, the client sends requests directly to the origin server, and the origin server responds to the client. When a direct proxy server is set up, A will instead send requests to B, which will forward the request to C. C will then send a response to B, which will deliver the response back to A.

Reasons for Using Reverse Proxy

As you can already guess, reverse proxy is an intermediary on the incoming connection that may decide whether it should be allowed. Why would anyone want to add this extra middleman to their online activities? There are several main reasons why someone might need to use a direct proxy:

  • To avoid the restrictions on browsing. For example, governments, schools, and other organizations sometimes use firewalls to restrict their users from accessing specific Websites. To bypass these restrictions, you can use a direct proxy since the connection will not be straightforward to the sites visited but to a proxy server.
  • To block access to certain content. It happens the other way around. Proxy servers can be set up to block a group of users from accessing specific sites. For example, a school network may block particular websites such as Facebook or other social networking sites.
  • To protect your identity on the Internet. In some cases, ordinary Internet users want more anonymity on the Internet. In other cases, Internet users live in countries without freedom of speech, and the government can impose severe sanctions on political dissidents. In such countries, criticism of the government on a web forum or social media can lead to heavy fines and sometimes even imprisonment for these users. Suppose one of these dissidents uses a proxy server to connect to the website where they post politically sensitive comments. In that case, their IP address will be harder to trace. This is because only the IP address of the proxy server will be visible.

Proxy Server VS Reverse Proxy

The main difference between the proxy server and a reverse proxy server is that it is in front of one or more web servers and intercepts client requests. At the same time, the forward proxy is in front of the clients. With a reverse proxy, all client requests to the website server will be intercepted by the reverse proxy. The reverse proxy will send requests and receive responses from the source server.

Proxy Server VS Reverse Proxy
Proxy Server VS Reverse Proxy

In simplistic terms, you could say that the forward proxy sits in front of the client and ensures that no source server ever communicates directly with that particular client. On the other hand, the reverse proxy server sits in front of the source server. It ensures that no client ever communicates directly with that source server. Once again, let’s introduce this by naming the computers involved:

  • D: Any number of users’ home computers
  • E: It is a reverse proxy server
  • F: one or more source servers

Reverse Proxy vs Proxy

Typically all requests from D go directly to F. F sends the responses directly to D. In the reverse proxy case, all requests from D go now to E. E will send its requests and receive responses from F. E will then forward the corresponding responses to D.

Benefits of a Reverse Proxy

Here are the main benefits of reverse proxy:

  • Protection against attacks. With a reverse proxy, a website does not have to disclose the actual IP address of its origin server(s). This can protect the website from possible targeted attacks, such as DDoS attacks. Instead, attackers will only be able to target the reverse proxy server, which often has better protection and more resources to fend off a cyberattack.
  • Global Server Load Balancing (GSLB) – In this form of load balancing, a website can be distributed across multiple servers worldwide, and the reverse proxy will send clients to the server closest to them geographically. This reduces the distance requests and responses travel, minimizing load times.
  • Caching. A reverse proxy server can also cache content, which improves performance. For example, suppose a user in Paris visits a website with a reverse proxy server with web servers in Los Angeles. In that case, the user can connect to the local reverse proxy server in Paris, which would then have to communicate with the source server in Los Angeles. The proxy server can then cache (or temporarily store) the response data. Subsequent Paris users browsing the site will receive a locally cached version from the Paris reverse proxy server, resulting in much better performance.
  • SSL Encryption. Encrypting and decrypting SSL (or TLS ) communications for each client can require significant computing resources for the source server. However, the reverse proxy can be configured to decrypt all incoming requests and encrypt all outgoing responses, freeing up valuable resources on the source server.

Conclusion

Looking at the above, we see that even though they all have the word “proxy” in their names, they are not the same thing. They have their scope based on their position in the request-response loop. However, it is essential to know that each one moderates your traffic and can either block your requests or allow them.

The post Reverse Proxy vs Proxy appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/reverse-proxy-vs-proxy/feed/ 0 9754
VPN, Proxy, or Tor: Differences, Meaning https://gridinsoft.com/blogs/vpn-proxy-or-tor-differences-meaning/ https://gridinsoft.com/blogs/vpn-proxy-or-tor-differences-meaning/#respond Thu, 16 Jun 2022 14:00:45 +0000 https://gridinsoft.com/blogs/?p=8622 You’ve probably heard the words VPN, Proxy, and Tor. You may even regularly use these technologies to remain anonymous, bypass blockades, view content blocked in your region, or simply access your corporate network. But how exactly do these technologies work, and how do they differ? Today we’ll talk about how to protect yourself and your… Continue reading VPN, Proxy, or Tor: Differences, Meaning

The post VPN, Proxy, or Tor: Differences, Meaning appeared first on Gridinsoft Blog.

]]>
You’ve probably heard the words VPN, Proxy, and Tor. You may even regularly use these technologies to remain anonymous, bypass blockades, view content blocked in your region, or simply access your corporate network. But how exactly do these technologies work, and how do they differ? Today we’ll talk about how to protect yourself and your data on the global network.

What is a Proxy?

Among VPNs, Proxy, Tor – the most straightforward technology is Proxy. Let’s start with it. First, let’s find out how web surfing technically works: When you connect to a website, your connection is sent to the server hosting the website. This server can see much information about your connection, including your IP address and relative location.

A proxy server is an intermediate between your browser and a Web site. In other words, it communicates with the Website server on your behalf. You connect to the proxy server, which then forwards the connection to the site-like that friend in high school passed your notes to the cutie in class. Proxy servers come in several types and perform different functions depending on the type. By swapping your location with a Proxy, you can bypass regional blocking and access content available only in certain countries.

How does a proxy server work?
How does a proxy server work?

How Does Proxy Server Work?

But the situation can also be reversed. If necessary, network administrators can restrict access to certain resources with the help of a proxy. There are also less obvious usage scenarios. For example, proxy servers often cache data from popular sites, so downloading data via a proxy server may speed up access to these resources. Or you can save traffic because proxy servers can compress all requested content. This is how different turbo and economy modes work in browsers.

As we can see, there are many uses for proxy servers. And this is a positive side of the technology, but proxy servers also have significant disadvantages. First, the technology itself is limited. Proxy servers are highly specialized, so a different type of proxy is needed for each type of Internet connection.

For example, an FTP (File Transfer Protocol) connection requires an FTP proxy. For HTTP and HTTPS, you also need two separate HTTP and HTTPS proxy servers. This is a severe limitation, so a particular type of proxy is the SOCKS proxy. This variation of the protocol knows how to handle different kinds of traffic. But it works slower, so it is also not suitable for everyone. Also, the proxy works only with traffic coming from the browser. All other traffic in the system does not go through a proxy server.

Proxy Security

All types of proxies have a crucial problem in common: security issues. Because proxy servers additionally do not encrypt traffic in any way. That is, HTTP traffic will not be encrypted in any way. Instead, HTTPS will be encrypted similarly to a standard Internet connection: SSL encryption. And this is a huge problem. And to imagine the scale of the tragedy, let’s remember the analogy of the note.

Using a proxy server is like sending a note to a cutie without an envelope. But, of course, you can only do that if you trust the intermediary 100%. After all, he can easily read the contents. And, of course, you have to watch out for free proxy servers of dubious reputation. After all, using an unverified free proxy is like giving an envelope to the first person you meet.

There is also a particular type of proxy called Shadowsocks. This is essentially an improved version of the SOCKS proxy. It has both traffic concealment and the ability to bypass various blockages. There are clients for both the computer and the smartphone, allowing you to stay protected at all times. Hence a few nice features of Shadowsocks. For example, to elegantly bypass blocking, it knows how to mask traffic selectively. You choose what to hide and what not to hide. But it is essential to understand that Shadowsocks is not designed to protect the privacy and anonymity of the user because when using Shadowsocks, data packets are unencrypted.

What Is a VPN?

VPN (Virtual Private Network) is a technology that has most of the advantages of proxies and is devoid of most disadvantages. Initially, this technology was not conceived as a means to anonymize traffic. Its purpose was to join computers into a single network remotely. For example, to access the local network of the head office from a regional branch or home. The principle of VPN is similar to that of a proxy. The traffic in the same way, before reaching the Internet, first gets to the intermediate server. This, on the one hand, allows you, for example, to access blocked resources. Because for the Internet provider, you send a request to the VPN server, but not to the banned site. On the other hand, it allows you to preserve your anonymity because the website you get to thinks that the request came from the IP address of the VPN server, not yours. But proxy servers do essentially the same thing, so what’s the difference then?

VPN vs Proxy: differences
VPN vs Proxy: differences

VPN and a Proxy: Differences to Pay Attention

The key difference between a VPN and a Proxy is end-to-end encryption. All traffic passing through a VPN server is protected from the entry point to the exit point. That’s because when the VPN is turned on, an encrypted communication channel is created between your device and the VPN server, protecting all data from hacker attacks. If we compare it to a proxy, in the former case, we are passing a note without an envelope to a friend, who can either be robbed at any time or steal it himself. In the case of VPN, we transmit data through a closed tunnel which is extremely difficult to penetrate. Moreover, VPN works with all types of data and encrypts all traffic from all applications, not just your browser traffic. Unlike the proxy, a VPN client must be installed on your device as a separate application or browser extension for the VPN to work.

VPN Security

VPNs are much more secure because they use advanced encryption algorithms, such as AES-256 and ChaCha20, to encrypt your connection and anonymize your traffic. But not all VPN services are equally helpful. As with proxies, free VPN services have repeatedly been caught spying on users and selling their data. For example, the Betternet VPN service, which had 38 million users, used as many as 14 libraries to spy on users. And the Hola service sold the IP addresses of free users to criminals. In other words, criminals could use your IP address for their purposes. Therefore, before choosing a VPN service provider, it is essential to learn more about it.

What Is a TOR?

Tor stands for The Onion Router and uses what’s called onion routing. Your data is the core of the onion, and its protection is the layers around it. To anonymize, Tor, like proxies and VPNs, passes traffic through intermediate servers. But only in the case of Tor, there is not one but several, and they are called nodes. In other words, TOR is a free network of access points that act as a proxy for your connection. It is also the browser name you use to connect to this network. When you use the Tor browser, your connection passes through several nodes before reaching your final destination. Traffic on the web is also encrypted, so it is a little more secure than a proxy.

Since your traffic is wrapped in three layers of protection, the first and second node do not see your traffic, they only peel off the layers of protection, like the skin of an onion, but only the third output node gets to the core and sends a request to the Internet. Each node knows the IP address only of the node in the chain before it. Therefore, the original IP will be lost when your traffic reaches the last node. The users on their computers deploy these nodes. The more users, the safer and faster the network is.

TOR Security

The Tor browser is based on Firefox. It has been improved with add-ons that prohibit sites from spying on you. For example, the browser can distinguish all scripts on sites, effectively forbidding the collection of any user data or forcing sites to use encryption. It sounds very secure, but in practice, it’s not.

  • Tor is very disliked by law enforcement, and the very fact that Tor is being used is easy to trace. So just by using the Tor Browser, you can already attract much attention.
  • The owners of the output nodes are very risky. After all, they are the ones who are responsible for all of the actions that users take on the network.
  • The same owners of the output nodes see all your traffic, which means they can track you by implication. This is why law enforcement officials most favor exit nodes.
  • Moreover, because the multi-layer encryption Tor network is prolonged, half of the sites refuse to work correctly through the Tor Browser.

It is also worth mentioning that TOR, as well as a proxy, does not filter all system traffic, which is obvious.

Proxy, VPN, or Tor: what is better to choose?
Proxy, VPN, or Tor: what is better to choose?

Proxy, VPN, or Tor?

If you are worried about your online security, the best way to protect yourself is through a VPN. But do not forget that you should use only reliable VPN services with a good reputation. Often you can find information about the reliability of a particular service on the Internet in special articles. Also, remember that a good VPN can cost money, or its creators can charge a certain amount for its use. Finally, proxy servers are solutions focused on convenience and speed, which are suitable for bypassing major geo-blocks.

In contrast, Tor focuses on rough anonymity at the expense of many nodes. Therefore, a VPN is the best choice in most cases because the VPN connection is encrypted, secure, and fast. Unfortunately, proxy servers and Tor do not have that security, so your security can only be guessed at.

However, for maximum effect, you can use a VPN and Tor at the same time. Connecting to a VPN via Tor is a slow but effective solution for true anonymity. At the same time, proxies are a quick and inexpensive solution for basic IP masking. So, VPNs are the best all-around solution if you’re a casual internet user and want to keep yourself safe online.

The post VPN, Proxy, or Tor: Differences, Meaning appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vpn-proxy-or-tor-differences-meaning/feed/ 0 8622