Palo Alto Networks has come across a new family of proxy-creating malware, called ProxyBack, that the company said it believes has been in the wild since 2014 and may have more than 20 versions now running.
Unlike other proxy-generating malware, ProxieBack does something unusual, and particularly dangerous for security personnel, Palo Alto researcher Jeff White wrote in a blog. It creates a reverse tunnel over TCP from the target server to a server controlled by the attacker.
“To establish this tunnel, ProxyBack will initially make a connection to a web server hosting a PHP file that simply contains a URL to another PHP file on the same server. This subsequent PHP file will be used by the malware to send commands to the initial web server and fetch information used to setup its proxy connection,” White wrote.
Much of the traffic being routed through infected servers was seen coming from a system creating fake accounts and soliciting people on various dating sites, White noted.