February 25, 2013

Proxy is transparent for malware

In this post I would like to break a myth for the people that know how to protect, but don't know how to attack. Proxy can be a good solution for performance, but not necessarily for security.

Proxy is good
  1. If a malicious user connects a computer to the network, then he might be limited in case the proxy requires authentication and protects against replay authentication attacks. 
  2. It is good for basic content filtering. 

Proxy is not enough
I would like to split the explanation to two scenarios - The first uses the framework's commands, while the second have direct access to windows API using non-frameworked language, e.g. C++.
First scenario:
  1. In this scenario, the malware is based on Java/.NET. Therefore, It can access the methods of the frameworks in order to gain the proxy settings of Internet Explorer. e.g. in .NET, a malicious user is able to create WebClient that sends a request. Anyway, proxy settings are reflected from WebRequest.GetSystemProxy() method.
  2. The framework runs the code and calls the WinAPI in order to the the proxy settings. Note: this is invisible for the malware developer (black box).
  3. WinAPI returns the proxy settings.
  4. The framework returns the settings to the malware.
  5. The malware access to the proxy server as authorized user with the information that should be sent to the C&C. Since the malware have the IE settings, it uses the credentials to authenticate to the server exactly as IE does. Note: in order to reduce blocking by content filtering, the communication should be established over SSL.
  6. The C&C gets the information from the proxy server and responses. The Malware will be able to receive the response
Second scenario:

  1. The malware creates WinAPI calls in order to get proxy configurations, e.g. WinHttpGetIEProxyConfigForCurrentUser (with few adjustments).
  2. The WinAPI updates the pointer that includes the proxy configurations.
  3. Exactly as step 5 in scenario 1 above.
  4. As step 6  in scenario 1 above.

  1. Antivirus does not recognize the Malware, e.g. by using thread timeouts, packers and all other cool stuff.
  2. Windows 8 does not allow to open network connections, unless it accepted in the UAC. Hence, an exploit or other way to gain higher privileges is required. 
  3. New JREs require re-authentication when accessing the internet.  

Acceptable solution
I don't think that the solution is unique, however, I would recommend to take into account the following actions:
  1. Install a sandbox solution that restricts access to proxy settings.
  2. Educate users to not allow unknown connections - java re-authentication request or windows UAC. (Sure... security awareness is only part of the solution...)
  3. All other action items to prevent malware infection.


  1. I browse your article and obtain vital data additionally if you've got any question concerning subjected topic
    access 1337x in UK

  2. Your work is very simple art of work its really a helpful.
    access Mp3skull in UK

  3. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from .Net Training in Chennai. or learn thru ASP.NET Essential Training Online . Nowadays Dot Net has tons of job opportunities on various vertical industry.

  4. System supervisors are additionally mindful of intermediaries and every famous proxy are blocked.proxy mexico

  5. This comment has been removed by the author.

  6. VPN is very convenient, but it is not necessary https://novavpn.com/blog/popcorn-time/ if you want remote clients to connect to you Linux or Unix server.

  7. Despite the fact that Perth wrongdoing rates isn't high, it is dependably to better to put resources into security and ensure that you have thought about the safety of everybody and everything than being left sad and bellowing at last since you have underestimated that one need in a man's survival. Security.security camera system reviews

  8. I am all that much satisfied with the substance you have specified. I needed to thank you for this extraordinary article.  Read the reviews

  9. This is really great work. Thank you for sharing such a good and useful information here in the blog for students.  maggiori informazioni

  10. I can set up my new idea from this post. It gives in depth information. Thanks for this valuable information for all,.. find out more

  11. I would state, you do the genuinely amazing.This substance is made to a wonderful degree well. VPN

  12. Wonderful article, thanks for putting this together! This is obviously one great post. Thanks for the valuable information and insights you have so provided here. get more privacy

  13. Persons appreciate shopping for amazing, appealing, fascinating and from time to time attractive aromas for them selves and pertaining to others. This can be executed conveniently along with inexpensively in an on-line perfume shop. https://www.lemigliorivpn.com