Tech

Bunitu Trojan botnet supports commercial VPN infrastructure

The Bunitu Proxy Trojan has moved from malvertising to spreading through virtual private networks to make money for its operators.

Written by Charlie Osborne, Contributing Writer Aug. 5, 2015 at 4:08 a.m. PT

Malware which turns your machine into remote port for unauthorized traffic has evolved beyond spreading through adware and integrated within VPN service VIP72.

Bunitu Proxy is a Trojan which exposes infected machines to act as a proxy for remote clients. Once installed on a machine, the malware opens ports for remote connections, registers itself in the client's database -- sending data concerning its address and open ports to controllers -- and accepts connections on the exposed ports.

This, in turn, can slow down network traffic or reroute infected IPs as a source for illegal traffic and activities -- thereby potentially framing an individual for online activity they know nothing about.

The malware, part of a wider botnet, is slow to evolve and can be picked up by antivirus solutions. While the code is not the most stealthy in existence, distribution of the malware has led researchers to discover connections between Bunitu and a well-known VPN service.

In a blog post, Jérôme Segura, Senior security researcher at Malwarebytes said analysts at the firm -- together with ad-fraud company Sentrant -- have recently been exploring the distribution of Bunitu. The malware was previously discovered in malvertising campaigns and became part of the payload for is the Neutrino and Angler exploit kits. However, recent botnet requests are not related to ad-fraud; instead, a virtual private network (VPN) is being used to conceal Bunitu's tracks. The team says:

"We believe that the operators of the Bunitu botnet are selling access to infected proxy bots as a way to monetize their botnet.
People using certain VPN service providers to protect their privacy are completely unaware that the backend uses a criminal infrastructure of infected computers worldwide."

During the company's research, VIP72 surfaced. VIP72 is a cheap VPN service which touts "Hidemyass, Socks Vip72, Pure VPN, VPS US software fake IP [addresses which] will help you make money on effective networking."

However, according to Malwarebytes, the VPN is also "heavily involved with the Bunitu botnet and its proxies."

In order to test the theory, the company developed its own Bunitu honeypot and reverse engineered the command and control (C&C) protocol before developing a script which mimicked the proxy registration request and logged request URLs. After registering the honeypot, Malwarebytes discovered many of the requests received come from VIP72.

Featured

The team registered an account with VIP72 to investigate why clients already connected to a proxy were visiting a second proxy, and discovered the Malwarebytes honeypot was listed as an available exit IP address.

While this is not proof that VIP72 is knowingly using Bunitu botnet proxies and could have simply scanned the web for open proxies which do not require authentication, a bug in the system maintains the IP address of a 'host' proxy originally registered, even if the proxy moves to a new address.

In order to prove VIP72 is using Bunitu proxies as exit points, the team registered a Bunitu proxy from one honeypot IP to another, separate honeypot IP address -- and the 'host' proxy was still listed with the original IP.

Malwarebytes says:

"If VIP72 was simply scanning the Internet for open proxies it is possible that they would have identified both our proxies (old and new IP) at different times. However, without having access to the Bunitu C2 server and bot ID there is no way that they could have associated those IPs to the same proxy.
This is proof that the operators of VIP72 also have direct access to the Bunitu botnet server and use Bunitu infected hosts as proxies for their service."

The study also suggests that distributors of the botnet differ depending on the location of machines infected with Bunitu. In the United States and Canada, the VPN provider is VIP72, but in Europe the traffic's characteristics are completely different, which suggests another unknown VPN provider is involved.

"Our hypothesis is that the botnet is operated by a middleman who resells a pool of bots to various providers. Then, the bots are assigned to particular VPN networks according to their geolocation," the company notes.

Malwarebytes hopes this analysis, while only partially complete, will encourage law enforcement and other security firms to take an interest and eventually reduce the size of the botnet.