XSOX.NAME and proxy bots : 2007 : Frequency-X Blog : Blog : Home | ||
|
XSOX.NAME and Proxy Bots Web proxies are an interesting beast. Within the corporate environment they allow organizations to regulate access to the Web as well as provide some degree of protection against several classes of threat. Outside, elsewhere in the Internet, Web proxies have increasingly been touted as a method of anonymizing browsing activities. If you do a search for Web proxies, you’ll quickly discover lots and lots of long lists of free proxy hosts (Google responds with 1.7m). The vast majority of these are legitimate proxies – largely run by educational departments or (semi) commercial anonymous browsing entities. For a lot of people, this is good enough. These will provide the ability to browse the Internet with some degree of anonymity or bypass some country-specific content restrictions (e.g. watching the BBC’s high resolution news by using a UK-based proxy from the USA, or accessing your USA iTunes account from Saudi Arabia). Attack Proxies For the most part, these proxies are used for the purposes described above. However, they also make for a convenient attack obfuscator. For example, given that Web attacks such as account brute-forcing, cross-site scripting and SQL injection can all be instigated via a browser, Web proxies will also provide a level of anonymity to an attack. And, by automatically switching or cycling through multiple proxies, it becomes relatively easy to stay below common detection thresholds. In fact, these qualities mean that external proxies are often used during legitimate penetration testing engagement – especially if the client automatically blocks source IP addresses when protection threshold limitations are triggered. You see, Web proxies are one of those nasty little security secrets that we’d all like to forget about because they are not only bothersome, but tend to also thwart conclusive incident responses. This ‘usefulness’ hasn’t exactly escaped the attention of the bad guys. In fact, if you monitor any of the popular hacker or carder chat channels or forums, you’ll see lots of discussion over the best proxy services – along with tools to make cycling between proxy agents much easier. Perhaps more interestingly, mimicking other areas of commercialization in the malicious Internet, you’ll now find several proxy-providers that specialize in providing proxy services for nefarious use. For example, AnyProxy.Net (along with many other sites that appear to closely related to each other) provides HTTP/HTTPS/FTP and SOCKS4/5 international proxies that can be leased by the day (since the lifetime of a single proxy is a maximum of 24 hours) – with payments accepted via Wеbmoney and Egold.
Perhaps one of the most interesting providers to have appeared on the scene recently (the first ‘advertising’ references appear in August 2007), is XSOX. XSOX.name The XSOX website describes how their solution/service works, and certainly doesn’t scrimp on the details. However, unlike other proxy services I’ve looked at in the past, this one takes sophistication and boldness to a new level.
All-in-all, this is both an interesting tool and service, but doesn’t bode well for those of you that may have to investigate new attacks and seek to identify the perpetrator of the crime. It looks like botnet herders are looking to expand upon their identity theft and spam relay services, and have now added a pretty advanced anonymous proxy service to their commercial offerings. |
|