The Proxybox malware is distributed in a variety of ways, including through drive-by download attacks launched from compromised websites that host commercial exploit toolkits like Blackhole, Bingham said.
Advertisements for the Proxybox service seen on underground forums were linked to ads for other black market websites that offer VPN (virtual private network), private antivirus scanning or proxy testing services and offer the same ICQ contact number and payment methods: WebMoney, Liberty Reserve and RoboKassa.
"We started to look into the payment accounts associated with these websites, and found out that they were tied to an individual with a Ukrainian name living in Russia," Bingham said. "The additional details associated with this WebMoney account are undisclosed as we work with law enforcement in countries associated with the command-and-control servers."
The risks for users whose computers are infected with Backdoor.Proxybox are significant. Because of the unauthorized proxy servers running on their systems, their IP addresses might be involved in a lot of illegal activities without their knowledge.