March 2, 2012Dancho Danchev By Dancho Danchev

New service converts malware-infected hosts into anonymization proxies

What happens when a host gets infected with malware? On the majority of occasions, cybercriminals will use it as a launch platform for numerous malicious activities, such as spamming, launching DDoS attacks, harvesting for fresh emails, and account logins. But most interestingly, thanks to the support offered in multiple malware loaders, they will convert the malware-infected hosts into anonymization proxies used by cybercriminals to cover their Web activities.

In this post, I’ll profile a newly launched service, offering thousands of malware-infected hosts as Socks4 and Socks5 servers for anonymizing a cybercriminal’s Web activities.

Most recently advertised as ProxyBuy, the service, in operation since 2004 under different names/domains, offers access to thousands of malware-infected hosts, now converted to Socks4 and Socks5 servers — back connect supported — thanks to the overall availability of this feature in the majority of today’s modern malware loaders.

Welcome to the website proxy Proxybuy . Founded in 2004, Proxy Service to quickly and securely won a stable position with a reputable service. Here you can buy a proxy http or https , buy socks excellent performance, order a subscription for a week or a month. Our paid proxy lists are used for different types of Internet businesses, as well as for “home use”. All we provide lists of proxy – anonymous and private. Good support high-speed operation. Quality you can check out the section Proxy checker . Buy proxy lists, or buy the socks we just. Simply select a Desirable your tariff and apply our specialist via ICQ , E – mail , skype or phone.

The prices vary, based on the number of requested Socks4/Socks5 servers. For instance, a potential buyer can purchase 1400-1500 socks servers for the price of $30. Naturally, the malware-infected hosts don’t keep any logs, making them the perfect tool in the arsenal of a malicious attacker wanting to launch malicious attacks while covering their tracks, by forwarding the responsibility for the malicious campaigns to the owners of the infected PCs.

A popular tactic often used by cybercriminals is called “socks chaining” that is the use of numerous Socks4/Socks5 servers to maintain the same connection, acting as stepping stones, allowing the cybercriminal to route their  connection through multiple malware-infected hosts.

Such use and monetization of malware-infected hosts is making it increasingly difficult for security researchers and law enforcement to correctly attribute the source of a cyber attack.

Webroot’s security researchers will continue monitoring the service, and its future development.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button


  1. […] development of DIY image spam generating platforms, conversion of malware-infected hosts into spam spewing zombies, and most importantly, efficient ways to bypass anti-spam filters put in place by the security […]

  2. […] abusing Skype’s SMS-sending capability, this one also doesn’t support the use of anonymization proxies, which can greatly contribute to a successful detection of multiple ICQ account log-ins through an […]

  3. […] are not publicly obtainable Socks5 servers. Instead, they are compromised malware-infected hosts converted into anonymization proxies, allowing the cybercriminals who are about to “cash out” the hacked PayPal accounts to […]

  4. […] fácil. Como dato importante, muchos de estos servidores que se transforman en proxys anónimos están infectados con malware permitiendo a los ciberdelincuentes que están a punto de cobrar por las cuentas hackeadas de […]

  5. […] If a potential cybercriminal wants to spread his fully undetectable piece of malware online, all he has to do is purchase access to the malware-infected hosts offered by such services, allowing virtually anyone access to “managed malware propagation” capabilities. The service that I’m profiling in this post is also attempting to “vertically integrate” within the cybercrime ecosystem by offering related “value added” services such as access to Socks5 servers, which are in reality malware-hosts converted to be used as anonymization proxies. […]

  6. […] during their cyber attacks many services in the underground also integrate their offer proposing anonymization proxies for example accessing to Socks5 […]

  7. […] the demand for services rising, suppliers are expanding their portfolios. A more recent service is converting malware-infected computers into anonymization proxies that cyber criminals can use to cover their Web […]

  8. […] wanting to conduct cyber espionage on a mass scale, in an efficient and anonymous — think malware-infected hosts as stepping stones — way? As of early 2013, those willing to pay the modest price of 3000 rubles ($97.47), can […]

  9. […] 4/5 module – price $120 – the plugin allows the cybercriminal behind the botnet, to easily convert the malware-infected hosts into anonymization proxies, a rather common module found within a lot of competing malware bots. The author of the bot also […]

  10. […] fácil. Como dato importante, muchos de estos servidores que se transforman en proxys anónimos están infectados con malware permitiendo a los ciberdelincuentes que están a punto de cobrar por las cuentas hackeadas de […]

  11. […] it’s the use of malware-infected hosts as stepping-stones, the issuing of License Agreements for your latest rootkit release stating that it’s meant to […]

  12. […] any given number within a particular interval. It doesn’t support multiple accounts, or malware-infected hosts as anonymization proxies, making it a low level threat with a surprisingly high price, in this case, 490 rubles […]

  13. […] the ability to kill competing Bitcoin miners, complete pseudo-randomization of multiple variables, as well as support for Socks proxy servers, allowing the cybercriminals behind it to add additional layers of […]

  14. […] profile a desktop-based tool that allows cybercriminals to automatically syndicate lists of free/paid proxies – think malware-infected hosts – adding an additional layer of anonymity in the […]

  15. […] and make it cost-ineffective – since the tool profiled in this post doesn’t support proxies (which are basically malware-infected hosts), it means that there’s a high probability that […]