Large network of over 120,000 malicious residential proxies unmasked

Do you read the terms of use carefully when you download an application? A recent discovery made by computer science professor Marc Frappier and two students, Philippe-Antoine Plante in the master’s program in computer science and Guillaume Joly in the bachelor’s program in computer science, invites us to be vigilant when downloading free virtual private networks (VPNs) offered on the Web.

The research team discovered that some free VPNs stealthily enroll their users in a network of residential proxies. By agreeing to the terms of use, users of these VPNs unknowingly make their IP address available for rent as a proxy, without any verification of how it will be used. A proxy serves as a relay for Internet communications between a source and a destination. The source sends its communications to the proxy, and the proxy relays them to the destination. For the destination, the request seems to come from the proxy, the source being hidden behind the proxy.

It is important to know that residential proxy services (RPS) are legal. They can be used legitimately for commercial purposes such as market research. The person or company rents a residential IP address in order to use it as a relay for their Internet communications. The RPS allows them to bypass access control based on the source IP address (e.g. filtering of VPNs, cloud services, competitors, country access, etc.).

At this point, it becomes very difficult to trace the source of the malicious person, since, for the servers visited, the IP traffic appears to be coming from the leased residential IP address and not from the original user of the RPS.

By downloading one of these two VPNs, users may fall victim to the passage of illicit traffic on their own network. As a result, they expose themselves to serious legal problems. Moreover, it opens a door for malicious access to components of their local network (e.g. devices connected to the home WIFI). An infected computer that connects to a corporate network for telecommuting also exposes the resources on that network to malicious access.

VPNs like the ones studied by Prof. Frappier and his team hide behind seemingly normal operation. The most common antivirus programs cannot even detect them. To remedy an infection, various options are available, including simple uninstallation. Some computers seem to be infected without intentionally installing MaskVPN or DewVPN. An important indicator of belonging to the network is the existence of mask_svc.exe or dew_svc.exe processes, which manage proxy communications.

A concrete contribution to cybersecurity here and elsewhere in the world

The three researchers presented their discovery on June 9 to cybersecurity law enforcement agencies in Canada, the United States, the United Kingdom, Europe and Australia, as well as to representatives of various Internet service providers and the financial industry in Canada and around the world. The researchers would like to thank the CRTC’s Electronic Commerce Enforcement team for organizing this event. The webinar focused on the recruitment process of the RPS, its communication architecture, its indicators of compromise as well as countermeasures to disable it.

The University of Sherbrooke is at the forefront of cybersecurity development. It trains future cybersecurity specialists. Several study programs are offered in addition to online training and a summer school. Bringing together expertise from various disciplines, the UdeS research teams actively participate in the advancement of knowledge in cybersecurity. They contribute to making Sherbrooke a major pole in this field.

Article from the Université de Sherbrooke news:

More information on how it works:

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.