Proxy is good
- If a malicious user connects a computer to the network, then he might be limited in case the proxy requires authentication and protects against replay authentication attacks.
- It is good for basic content filtering.
Proxy is not enough
I would like to split the explanation to two scenarios - The first uses the framework's commands, while the second have direct access to windows API using non-frameworked language, e.g. C++.
- In this scenario, the malware is based on Java/.NET. Therefore, It can access the methods of the frameworks in order to gain the proxy settings of Internet Explorer. e.g. in .NET, a malicious user is able to create WebClient that sends a request. Anyway, proxy settings are reflected from WebRequest.GetSystemProxy() method.
- The framework runs the code and calls the WinAPI in order to the the proxy settings. Note: this is invisible for the malware developer (black box).
- WinAPI returns the proxy settings.
- The framework returns the settings to the malware.
- The malware access to the proxy server as authorized user with the information that should be sent to the C&C. Since the malware have the IE settings, it uses the credentials to authenticate to the server exactly as IE does. Note: in order to reduce blocking by content filtering, the communication should be established over SSL.
- The C&C gets the information from the proxy server and responses. The Malware will be able to receive the response
- The malware creates WinAPI calls in order to get proxy configurations, e.g. WinHttpGetIEProxyConfigForCurrentUser (with few adjustments).
- The WinAPI updates the pointer that includes the proxy configurations.
- Exactly as step 5 in scenario 1 above.
- As step 6 in scenario 1 above.
- Antivirus does not recognize the Malware, e.g. by using thread timeouts, packers and all other cool stuff.
- Windows 8 does not allow to open network connections, unless it accepted in the UAC. Hence, an exploit or other way to gain higher privileges is required.
- New JREs require re-authentication when accessing the internet.
I don't think that the solution is unique, however, I would recommend to take into account the following actions:
- Install a sandbox solution that restricts access to proxy settings.
- Educate users to not allow unknown connections - java re-authentication request or windows UAC. (Sure... security awareness is only part of the solution...)
- All other action items to prevent malware infection.