Europe and parts of the U.S. are currently suffering from a bot infection that can really generate a lot of network traffic.
The bot infection, known variously as Googost, Alureon and Kazy but perhaps best named Hello Proxy, acts as a distributed proxy server via infected devices. The malware opens an FTP connection with a command and control server in Europe and grabs HTTP GET requests that are then promptly sent via the FTP connection to the server in Europe.
Kindsight, an Alcatel-Lucent (News - Alert) network analytics and security company, has observed a single infected computer making more than 800,000 web connections in a single 24-hour period, amounting to more than 3 GB of data transfer during that time, according to a recent white paper on the malware attack Meeting Pervasive Kindsight - Malware Analysis Report.
As of September, one in every 250 homes surveyed by Kindsight (News - Alert) is infected with the malware, making the bot attack one to watch.
The detection signature for the malware is the “hello” message for each proxy session, since the malware works by launching a new TCP connection each time it makes a GET request.
Kindsight has observed a single infected computer triggering this message over 400 times per minute for 36 hours, each with a minimum of 10 packets and about 500 bytes of data.
Thus, a single infection can consume about 10MB per hour for just the command and control server traffic. Actual proxy traffic increases the data use significantly.
The Hello Proxy malware can be used for a variety of purposes, among them anonymous Web browsing, access to restricted foreign countries, Web site optimization fraud, ad-click fraud, and Internet network probe and data exfiltration.
“The traffic observed from our lab tests leaned primarily toward web site optimization or ad-click fraud,” noted the Kindsight white paper, “unless the attacker felt access to Canadian gourmet cooking sites required anonymization.”
Many of the infected devices are consuming large amounts of bandwidth acting as TCP proxies for web browsing activities originating from servers in Europe, mostly in Germany and The Netherlands, according to the white paper.
“These infected proxies are likely being used as part of a web site optimization or ad-click fraud scheme, but could also be used for anonymous browsing and access to restricted content,” it noted.
Edited by Peter Bernstein