Bunitu Botnet Owners Hiring Out Infected Proxy Bots for More Revenue

Cyber-criminals operating Botnet Bunitu have been found trading use of contaminated proxy bots so they can churn more bucks by letting others access their malicious network, published theregister.co.uk dated August 11, 2015.

End-users of specific service providers of virtual private network (VPN) with the purpose for safeguarding their privacy actually don't know that personal computers used as back-end devices are sourcing traffic via certain malicious army of contaminated PCs globally.

Besides, the traffic isn't encrypted as well, essentially defeating what a VPN facility is meant for.

With no encryption, end-users hardly get the real security whilst at the same time have their activities exposed to tapping else what's worse still, traffic diversion or man-in-the-middle assaults.

The horrible as well as shoddy VPN scam first came to the notice of security researchers of Sentrant the ad-fraud-fighting agency and Malwarebytes the anti-virus company. Originally, these two companies were examining the botnet thinking that its key activity to make illegitimate earnings was executing ad-click fraud, but soon realized that it were the devious VPN services which was its chief fraud game.

Meanwhile, Malwarebytes on VIP72, a low-quality VPN service intensely associated with Bunitu as well as its proxies, said it promoted fake Internet Protocols of VPS US, Pure VPN, Socks Vip72 and Hidemyass software that aided in churning revenues through effective networking.

To examine VIP72's involvement with Bunitu, Malwarebytes created one artificial Bunitu honeypot whose command-and-control protocol it reverse engineered followed with designing a script that imitated registration request of the proxy as also signed into request URLs. When the company registered the honeypot, it found that several requests it got originated from VIP72.

Creating an account through VIP72, Malwarebytes found that its honeypot served as an IP address to exit the botnet demonstrating the reason why users on one proxy looked to visit another.

This, however, doesn't prove that VIP72 is deliberately utilizing proxies of Bunitu botnet when there are open proxies on the web requiring no validation, but for certain bug within the arrangement that keeps one host proxy's IP address in tact following registration no matter whether that proxy shifts onto another IP.

» SPAMfighter News - 8/20/2015