XSOX.NAME and Proxy Bots  
Posted by Gunter Ollmann on October 22, 2007 at 10:55 AM EDT.

Web proxies are an interesting beast.  Within the corporate environment they allow organizations to regulate access to the Web as well as provide some degree of protection against several classes of threat.  Outside, elsewhere in the Internet, Web proxies have increasingly been touted as a method of anonymizing browsing activities.

If you do a search for Web proxies, you’ll quickly discover lots and lots of long lists of free proxy hosts (Google responds with 1.7m).  The vast majority of these are legitimate proxies – largely run by educational departments or (semi) commercial anonymous browsing entities.  For a lot of people, this is good enough.  These will provide the ability to browse the Internet with some degree of anonymity or bypass some country-specific content restrictions (e.g. watching the BBC’s high resolution news by using a UK-based proxy from the USA, or accessing your USA iTunes account from Saudi Arabia).

Attack Proxies

For the most part, these proxies are used for the purposes described above.  However, they also make for a convenient attack obfuscator.  For example, given that Web attacks such as account brute-forcing, cross-site scripting and SQL injection can all be instigated via a browser, Web proxies will also provide a level of anonymity to an attack.  And, by automatically switching or cycling through multiple proxies, it becomes relatively easy to stay below common detection thresholds.  In fact, these qualities mean that external proxies are often used during legitimate penetration testing engagement – especially if the client automatically blocks source IP addresses when protection threshold limitations are triggered.

You see, Web proxies are one of those nasty little security secrets that we’d all like to forget about because they are not only bothersome, but tend to also thwart conclusive incident responses.

This ‘usefulness’ hasn’t exactly escaped the attention of the bad guys.  In fact, if you monitor any of the popular hacker or carder chat channels or forums, you’ll see lots of discussion over the best proxy services – along with tools to make cycling between proxy agents much easier. 

Perhaps more interestingly, mimicking other areas of commercialization in the malicious Internet, you’ll now find several proxy-providers that specialize in providing proxy services for nefarious use.  For example, AnyProxy.Net (along with many other sites that appear to closely related to each other) provides HTTP/HTTPS/FTP and SOCKS4/5 international proxies that can be leased by the day (since the lifetime of a single proxy is a maximum of 24 hours) – with payments accepted via Wеbmoney and Egold.

Perhaps one of the most interesting providers to have appeared on the scene recently (the first ‘advertising’ references appear in August 2007), is XSOX.

The XSOX website describes how their solution/service works, and certainly doesn’t scrimp on the details.  However, unlike other proxy services I’ve looked at in the past, this one takes sophistication and boldness to a new level.

For example, the downloadable proxy client is one of the most advanced I’ve seen – with plenty of really useful functionality if you should ever need to cover up any illegal activities.  They also make no bones about describing how they use bot-agents for their proxy services.  Yes, that’s right, they appear to be leasing bots within their botnets to proxy attacks.
Like I said, the site goes in to a lot of detail about their client and their services.  It’s all in Russian, but here are a few interesting highlights about the tool/service:

  • It allows you to easily chain bot proxies and change final proxy exit points on the fly.
  • Provides for HTTP compression to speed up data transfer rates.
  • Has an advanced GUI for searching/filtering bots by country, speed, up-time, etc.
  • Has a new super-node server with 1Gb bandwidth, and guarantees protection from SYN and UDP flood – as well as 100 percent up-time.
  • The proxy client includes functionality such as DELBOT – which launches a self-destruct to the bots used to proxy your traffic.  This causes the registry records, device drivers, files etc. to be destroyed on the bot host.
  • The monthly subscription price (‘without limitation’) is $50, and the weekly subscription price is $15.

All-in-all, this is both an interesting tool and service, but doesn’t bode well for those of you that may have to investigate new attacks and seek to identify the perpetrator of the crime.

It looks like botnet herders are looking to expand upon their identity theft and spam relay services, and have now added a pretty advanced anonymous proxy service to their commercial offerings.

    Copyright 2001-2007 © Gunter Ollmann