Bunitu Botnet Spreads from Advertising to VPNs

The operators of the botnet Bunitu are selling access to proxy bots, according to a report from Malwarebytes. The research says that users of particular VPNs may unknowingly be accessing a “criminal infrastructure of infected computers worldwide.”

Malwarebytes, which carried out the research in collaboration with anti-advertising-fraud firm Sentrant, first noticed the Bunitu botnet in action in malvertising schemes. Selling proxy bots is seen as a new means to monetize.

The Bunitu botnet can be used to infect computers, turning them into a remote port for unauthorized, unencrypted traffic, says ZDNet.

Malwarebytes’ research highlights one VPN service that may be implicated, VIP72. It is described as being “heavily involved with the Bunitu botnet and its proxies.”

“VIP72 appears to be a top choice for cybercriminals, as referenced on many underground forums. A recent report from FireEye on Nigerian scammers also mentions VIP72.”

“Rather than being servers worldwide, the VPN exit nodes are personal computers that have been configured as proxies. In that sense, the architecture of the VPN is different from a typical one, but not to their customers who would be none the wiser,” one researcher told The Register.

The researchers launched and reverse engineered their own VIP72 honeypot and signed up with the service to find that their honeypot was available as an IP address.


Photo: Toria / Shutterstock

“If VIP72 was simply scanning the Internet for open proxies it is possible that they would have identified both our proxies (old and new IP) at different times. However, without having access to the Bunitu C2 server and bot ID there is no way that they could have associated those IPs to the same proxy as shown in the screenshot above.”

“This is proof that the operators of VIP72 also have direct access to the Bunitu botnet server and use Bunitu infected hosts as proxies for their service,” said Malwarebytes.

A somewhat similar case emerged a few months ago when popular free VPN service Hola was found to be reselling access to people’s computers. Malwarebyte confirmed that there is no link between this and Bunitu.