Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
Nascar

Anonymous proxy playground

by Juniper Employee ‎08-02-2012 03:10 PM - edited ‎08-02-2012 03:10 PM

Last week at BlackHat, Chema Alonso presented an unsophisticated yet powerful technique for a man in the middle attack using an anonymous proxy server. Users connecting to the proxy would get their browser cache poisoned by the attackers’ script. Once the script was installed the victim’s computer became part of a botnet. The researchers were then able to eavesdrop on the victim’s web traffic, steal browser cookies and form data such as user credentials. This allowed them to track various criminal activities on the Internet, as the anonymous proxies were often used by cyber crooks.

 

Now what’s impressive is the simplicity and scale. Alonso and his colleague utilized off-the-shelf open source software and wrote a couple of scripts. All they did for advertising was to list their service in one of the open proxy web catalogues. Just by doing that, they’ve got several thousand unique bot installs in a single day. Given the effectiveness and low cost of this attack, one can imagine similar techniques are used on the Internet by criminals and possibly governments and intelligence agencies to spot bad actors. Variations could range from passive harvesting of sensitive data to targeted attacks with cache poisoning and penetrating into Intranets.

 

With this in mind, I’ve collected about 500 public anonymous proxy addresses, coded up a web crawler, and launched a little experiment. First I tried to detect proxies which modify the content, by comparing what’s downloaded directly with what’s downloaded through a proxy. This discovered a handful of shaky servers that simply truncate long strings and break legitimate pages, a couple of servers which modify the scripts to help block unsolicited pop-ups, and one which replaced the index page with a heavily obfuscated JavaScript. While the last one certainly looked suspicious, upon closer examination it turned to be a URL redirection code.

 

My next test was for non-invasive monitoring. I registered several free email accounts – one primary and a set of secondary, and exchanged some messages between them. Then I used every proxy in the test list to login into the primary mailbox. I created a strong password, but intentionally chose a service which sent credentials in plaintext, so a malicious proxy could easily “sniff” it. If only I were behind Juniper IPS, my plaintext password would trigger a signature and get reported even before I had started using the unsafe mailer. But not in this case, so guess what – pretty soon my fake buddies began receiving spam probes from the primary test account – a clear indication that the mailbox got compromised.

 

This simple test has proven that some public proxy servers out there are indeed malicious. While the Internet is full of great free things, some of them are mousetraps. Everyone should keep in mind that connecting through proxy servers essentially gives the proxy owner rights to be the man in the middle. People using these services should understand the risks, opt for trusted resources and utilize protection technologies.

Comments
by Juniper Employee on ‎08-02-2012 05:12 PM

Oscar - great post. Can we publish the identities of the malicious proxy servers?

by Juniper Employee on ‎08-03-2012 01:07 PM
Siva, this scanning was done in bulk and none of the IPs were saved. It's technically simple enough to rerun the scan, however to be able to identify which servers are malicious, one'll need N unique email accounts equal to the number of servers in the test set.
Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Paul Bristow
Senior Director
Product Management

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Henrik Davidsson
Director
Security Sales

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Steve Hanna
Distinguished Engineer

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.