Your computer may be part of a major proxy service without you even knowing. To make matters worse, someone out there is getting paid to offer these IP addresses, and the bandwidth, to their customers.
These are the findings of AT&T Alien Labs, published earlier this week. As reported by BleepingComputer, a threat actor created a piece of malware and distributed it through game cracks and other illegal software.
The malware silently downloads and installs a proxy application, without user knowledge or consent. Antivirus programs weren’t flagging the proxy application as malicious, either.
Hundreds of thousands of victims
When the installation is complete, the infected endpoint becomes part of a proxy network which the malware’s operators then sold as a proxy service to its clients and customers. Apparently, more than 400,000 Windows systems were compromised this way.
To make matters worse, the company behind the botnet claims that all of the victims gave their consent, and willingly became part of the proxy infrastructure. However, researchers at Alien Labs beg to differ:
“Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems.”
They added, “as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.”
While we don’t know the name of the threat actors behind the campaign, the researchers said it’s almost identical to an earlier campaign targeting macOS systems. In that campaign, a malware named AdLoad was being distributed.
To double-check whether your device was compromised, AT&T’s researcher says users should look for a “Digital Pulse” executable located at “%AppData%\”, or a similar Registry key found in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\.” and remove it.