Presented at VB2015
Oct. 1, 2015, 11 a.m.
The Bunitu botnet makes use of a unique monetization strategy where proxy services are installed on the infected hosts and controlled by the botnet. Access to these proxies is then sold through a web store as an anonymizing VPN service. Though this monetization strategy has been observed in the past, related to the TDSS botnet, the Bunitu developers have improved on the previous malware proxy technology and removed the need for the host to have a public IP.
In addition to HTTP and SOCKS proxies, both of which Bunitu installs, a third malware proxy is also installed. This third proxy establishes a connection out from the infected host to an intermediary server. Clients can then connect to the intermediary server which tunnels the client traffic back down the open connection from the infected host. This acts like a type of reverse tunnel (for those familiar with SSH). The use of this tunnelled proxy allows the Bunitu botnet to monetize hosts that are behind firewalls and would not normally be accessible from the Internet. It also allows the botnet to sell access to the infected hosts through a 'VPN' service rather than just a proxy service.
Our research into the infrastructure that is supporting the Bunitu botnet and the type of traffic that is being routed through the Bunitu infected hosts led us to identify one of the web stores that is selling an 'anonymized VPN' service built on the Bunitu botnet. We also developed tools for interacting with the Bunitu botnet, which we have published for other researchers to replicate and build on our work.
We will present our analysis of the Bunitu botnet including the malware proxy technology used, the C&C protocol, and the results from our investigation into the infrastructure behind the botnet and the anonymizing VPN services who sell access to the botnet proxies. We will also provide a short overview of this unique monetization scheme and compare it with other current threats related to VPN/proxy services.