[HN Gopher] Swing VPN app is a DDoS botnet
___________________________________________________________________
Swing VPN app is a DDoS botnet
Author : campuscodi
Score : 372 points
Date : 2023-06-18 18:09 UTC (4 hours ago)
(HTM) web link (lecromee.github.io)
(TXT) w3m dump (lecromee.github.io)
| womitt wrote:
| Maybe not ddos just pushing up view counts for money
| pie2pie wrote:
| [dead]
| radicaldreamer wrote:
| VPNs in general tend to be super shady.
|
| Many vendors surreptitiously use user nodes as exit nodes and
| route traffic in suspect ways.
|
| VPN software stack is surely a major target for state and non-
| state actors to monitor and exploit.
| internetter wrote:
| Hola VPN, for instance, is famous for using the extensions as
| "exit nodes"
| salad-tycoon wrote:
| So does this mean then that if someone appears to be using my
| IP to do illegal thing x y z police/lawyers would come at me
| first?
|
| If so, would simply having an account and exe file be enough to
| argue "my wifi is open, I didn't download all that XYZ!"
| eddythompson80 wrote:
| By the time the police comes at you because of your home IP,
| they usually have collected a lot more evidence than that.
| That's why torrenting from your home without a VPN usually
| just results in a letter from your ISP saying "we know what
| you're doing. cut it out".
|
| No body has ever been convicted with their home IP as the
| only evidence.
| greyface- wrote:
| https://www.npr.org/sections/alltechconsidered/2016/04/04/4
| 7...
|
| Convicted? No. Raided? Yes.
| eddythompson80 wrote:
| Of course, you get raided most likely once they have
| sufficient evidence that they'll be able to collect
| incriminating evidence. Your IP might be enough to get a
| warrant, but they'll need a lot more to build a case in
| court. Hence the raid, confiscation of servers, etc.
| [deleted]
| jjbinx007 wrote:
| I think one major problem is VPNs are advertised or promoted as
| if they're synonymous with antivirus software.
|
| I partially blame the myriad YouTubers who happily push these
| to their fans to supposedly protect their privacy and protect
| their computers from harm.
| gurchik wrote:
| Until recently, eyeglass manufacturers were marketing blue
| light filtered lenses (which don't even filter much blue
| light anyway) as a way to prevent macular degeneration, until
| regulators shut it down. VPN providers shouldn't be allowed
| to claim that VPNs protect you from malware or that they do a
| better job at protecting data in transit than vanilla SSL.
| girvo wrote:
| They still push them at the sales end of optometrists here
| in Australia. My optometrist partner always gives them
| death stares whenever they try to push that blue light
| filtering scam when I'm getting new lenses (like I did a
| week ago)
| kaplun wrote:
| Hey, I have such glasses, and here in France at least they
| are still marketed. Do you have any reference pointing out
| the fact that they do not work? (Are they even worse than
| regular glasses?)
| gurchik wrote:
| > they are still marketed
|
| They're still marketed as a way to prevent macular
| degeneration?
| KnobbleMcKnees wrote:
| Any source on the blue light filtering not working? I
| didn't get the filter on my latest glasses and feel like my
| eyes fatigue more quickly, but I'm aware that could just be
| aging or a change in monitors, lighting, etc. which have
| occurred since my last subscription update.
| gurchik wrote:
| The lenses I'm talking about are the ones that are
| completely or nearly completely clear. Here's a photo of
| the "Everyday" blue light lenses on Zenni Optical as an
| example. They are marketed as blocking 16x more blue
| light than normal lenses. https://static.zennioptical.com
| /marketing/campaign/blokz/202...
|
| How could it be blocking any significant amount of light
| in the visible spectrum and still be clear? I'm sure the
| "16x" claim is true, but normal lenses block a small
| amount of light. 16 times nearly zero is still nearly
| zero. It's just a marketing gimmick.
|
| Zenni Optical also sells lenses which are orange. I'm
| sure that actually does block a significant amount of
| blue light, but I also know from my experience visiting
| optician offices that many consumers are buying the first
| kind.
|
| I'm aware of studies which link blue light to eye fatigue
| and disruption of the circadian rhythm but I'm skeptical
| that blocking 5% of blue light or whatever could have a
| perceptible medical effect.
|
| With that being said, I don't feel strongly about claims
| like the 16x thing if its actually true (just a bit
| misleading). My comment above was mostly about the claims
| that they prevent macular degeneration which there is no
| evidence for. And regulators are right to jump in before
| it gets too bad, otherwise why stop at macular
| degeneration? Just say your lenses prevent hair loss and
| skin cancer while you're at it.
| adra wrote:
| As Linus (LTT) mentioned a while back, VPNs are an insanely
| profitable cash cow with super low bars of entry into the new
| business, but it sits at a super legally precarious position
| that could jeopardize major legal and ethical challenges.
|
| I agree though that a lot of YouTubers have grown fat and
| comfortable with VPN providers led largely because of the
| financial incentives over their desire to protect fans.
| seanp2k2 wrote:
| Is there a name for the phenomenon when something is over-
| advertised to the point where potential consumers become
| less interested with more advertising? I've reached that
| point with NordVPN, SquareSpace, and a few others, but
| especially any pharmaceuticals that get TV ads (not that
| they're ever relevant to any health concerns for anyone in
| our house).
| adra wrote:
| Anecdote to the pharma comment, I recently looked up what
| happened with the CW because it felt like the network was
| falling into a pit recently. It turns out the network got
| "trimmed down for aquisition" which got swooped up by a
| cable providers. Apparently the average viewer of CW on
| terrestrial cable is 58!? (Taken from Wikipedia for what
| it's worth). If 58 is the average viewer for CW, just how
| old people are trending for less youth oriented networks.
| I makes a lot more sense to see a bunch of drug
| commercials (with their very high ad rates) shoved down
| your throat.
| fullspectrumdev wrote:
| Pharma ads are not permitted here, so I sometimes look em
| up on the YouTube's for amusement.
| supriyo-biswas wrote:
| Law of diminishing marginal utility?
| jangxx wrote:
| Does this also work if you're using the generic OpenVPN client
| to connect to the VPN? I've used a bunch of different VPN
| providers over the years, but they usually just offer an
| OpenVPN configuration that you can use with the normal client.
| I'm not aware of this also allowing them to send traffic the
| other way, but maybe it does?
| thrdbndndn wrote:
| I'm not sure if it's appropriate to give unsolicited suggestions
| on the writing, but I believe the author could improve the
| conciseness. It reads a bit verbose in places where certain
| information is repeated multiple times, such as the mention of
| configurations were retrieved from GitHub and Google Drive sites.
| LordShredda wrote:
| Writing technical articles is hard. They're usually research
| note dumps or technical jargon mixed in with some english
| words.
| pie2pie wrote:
| [dead]
| throwaway8_56 wrote:
| > we probably can assume that this app is trying to attack some
| government sites of Turkmenistan. It is hard for me to imagine
| why would anybody do that
|
| I find this very odd that they would target those websites. What
| would be the gain of taking down those websites _for anyone_. I
| doubt that the reason is political.
|
| P.S. Turkmenistan is probably the worst country when it comes to
| free internet. Almost all IP addresses are blocked, with very few
| websites (mostly google-owned) being reachable. The entire
| population is desperate for VPN (preferrably free). They are not
| educated about malwares, or anything about security, so they will
| download anything that promises free internet.
| dclowd9901 wrote:
| Couldn't it just be old fashioned blackmail? Attack the site
| and request money to turn off the botnet? It might be a bad
| assumption on my part but it occurs to me that maybe Turkey
| doesn't have a lot of pull to investigate cyberattacks across
| country lines so businesses in that country might be good
| targets to not get blowback?
| throwaway8_56 wrote:
| Turkmenistan certainly has no capacity for investigating a
| cyber attack for sure. But they are have no problem with
| those websites being down. Internet usage in the country is
| very low, and those websites are down the most of the time
| anyway.
| RobotToaster wrote:
| Turkmenistan is part of China's BRI, so it could be any state
| that wants to see that fail?
| sim7c00 wrote:
| nice findings, firstly, thanks for looking into it and sharing. i
| wonder how they have 3 million installbase. do you think there
| are some (unwitting) influencers, streamers etc. paid to promote
| this? 3 million is plenty, especially since there are a lot of
| heavily promoted vpns out there bidding for installs
| ghoshbishakh wrote:
| Installing a client always opens up these risks. That is why I am
| building a clientless tunneling service ( well technically you
| bring your own client ) - https://pinggy.io which is similar to
| ngrok but you can connect using your own ssh client such as
| openssh.
| lxgr wrote:
| This article is about a VPN service.
|
| How does a clientless ngrok alternative help here (which
| tunnels _server_ traffic), and why is it even necessary given
| that many OSes support at least one VPN protocol natively?
| lionkor wrote:
| Been a happy Mullvad.net customer for a while now, partially
| because it allows just grabbing a wireguard or openvln config,
| no client needed
| pfooti wrote:
| So is hola vpn:
| https://www.theregister.com/2015/06/10/hola_gets_holes_poked...
|
| At this point one must assume that any "free" vpn software is
| free because it uses its install base for DDoS / other traffic
| abuse.
| cookiengineer wrote:
| Once you dig into how the Kape Technologies holding is linked
| to the same people of the NSO Group scandals, well, good luck
| finding a VPN that didn't sell out their customers.
| moffkalast wrote:
| Yeah, Nord is for example infamous for pimping out their users
| as scraping proxies: https://oxylabs.io/pricing/residential-
| proxy-pool
| codedokode wrote:
| And why is there need for scraping proxies? Because greedy
| capitalists do not allow to scrape their sites.
| dewey wrote:
| It's not uncommon that companies ask other companies to
| scrape their site as they don't have the tech resources to
| build an API / integration for whatever they want to have.
| kortilla wrote:
| It has nothing to do with greedy capitalists. I don't want
| anyone scraping my site at all. I don't charge anything for
| it.
| codedokode wrote:
| Let's take as an example a website which compares prices
| in different stores and shows which has the cheapest
| price. You can do it manually, but using automation it is
| faster and more convenient. Is doesn't make sense to read
| websites manually when you can use a script or a language
| model.
|
| Obviously for consumer it is better to be able to scrape
| sites. It is only those store owners (greedy capitalists)
| who do not want consumer to know that their prices are
| inflated.
|
| Another thing is looking for some information, it is
| better just to have a language model go around the web
| and summarize the data for you rather than read someone's
| site with white letters on black background and weird
| font.
| sim7c00 wrote:
| if u run a small site and ppl scrape it aggresively that
| can rack up ur bills.depending on where u host ur site.
| ofcourse not an issue for billion dollar companies, but a
| line needs to be drawn somewhere. also, whats the purpose
| of the scraping? usually its greedy capatalist purposes,
| so.then ur point is a bit moot, dont u think?
| codedokode wrote:
| Let's say someone makes a site that compares prices in
| different stores. It needs a lot of scraping, but is
| useful for consumers. Obviously, the only ones who are
| against it will be the store owners.
| noAnswer wrote:
| Unless you go full blown DoS you will not be able to
| scrap 100.000 of articles multiple times a day. Geizhals
| for example compares prices every 10 minutes. It does
| this by working with the stores (they provide a price
| list) not against them.
|
| If a store owner doesn't want the reach, it's their loss.
| IMHO no need for a DoS attack.
| opportune wrote:
| Sites have a right to try to block scrapers. Scraping can
| incur significant costs and users may not want it - as a
| LinkedIn user, I want my profile to be indexed and able to
| viewed without logging in from the Web, but I also don't
| want my entire profile scraped and resold/rehosted for
| marketing. It's also often the case that the website put in
| significant working acquiring/curating/cleaning their data,
| and they are being scraped by other commercial entities
| trying to just resell it (blocking that isn't being greedy,
| the data is basically being stolen for other commercial
| entities). So it's not just being greedy.
|
| Individuals also, IMO, have a right to sell access to their
| network for scraping-via-proxy. But they should be prepared
| to deal with the consequences, like a potential IP ban.
| Most people using VPNs that resell their residential
| network for scraping probably don't know that's happening,
| and many scrapers are indeed doing something bad, which is
| why there is a disdain for the practice.
| withinboredom wrote:
| I guess secret shoppers are illegal too.
| pests wrote:
| Secret shoppers are paid by the company in question. How
| is that in any way relevant?
| dhdhhdd wrote:
| Nord offers OpenVPN configs. Those configs don't seem to
| allow nat/routing from Nord VPN network?
|
| I never looked into that, but always used Nord VPN via the
| official OpenVPN client.
| noizejoy wrote:
| > While the lawsuit names Lithuania-based Teso LT, UAB as a
| defendant rather than "Tesonet", this is as a result of a
| corporate restructuring several years ago. Aside from its
| link to Oxylabs, Tesonet also advertises itself as a creator
| and investor of a number of online services, including
| NordVPN, Hostinger and others.[0]
|
| [0] https://www.techradar.com/news/judge-orders-mediation-
| after-...
| jvanderbot wrote:
| I don't know why, but I did not expect a completely public,
| normal looking pricing page for something this nefarious-
| seeming.
| sim7c00 wrote:
| luminati.io, similar for hola. guess they rebranded now as
| that one redirects :p but its still the same. this should be
| illegal really...
| KomoD wrote:
| Nord as in NordVPN? Source in that case please?
| moffkalast wrote:
| https://www.techradar.com/news/judge-orders-mediation-
| after-...
|
| http://web.archive.org/web/20191128170008/https://medium.co
| m...
|
| It's pretty well known.
| KomoD wrote:
| Skimmed it and I don't see anything about _Nord_ making
| _their_ users into proxies, second link is questionable
| (since its deleted and you linked to an archive)
| internetter wrote:
| > Aside from its link to Oxylabs, Tesonet also advertises
| itself as a creator and investor of a number of online
| services, including NordVPN, Hostinger and others.
|
| Where else would they get the 100 million users?
| KomoD wrote:
| Yeah I saw that part but it does not mean they are using
| the users from NordVPN for Oxylabs, there's nothing
| explicitly showing so.
| girvo wrote:
| I'll be honest, the fact that they're directly linked to
| Oxylabs alone is enough to deter me. I can't see how else
| they'd get 100 million+ residential customers on Oxylabs
| side... sure, I'm not going to go around claiming I have
| direct proof, but that's more than enough for me to not
| use their services.
| wswope wrote:
| Why don't you try installing Nord in a VM and monitoring
| traffic yourself, instead of taking low-quality blogspam
| Medium articles at face value?
|
| If they're truly hijacking end user clients, why don't
| you point to the section of their open source client
| that's responsible for that?
|
| https://github.com/NordSecurity/nordvpn-linux
|
| Easy enough to prove.
| KomoD wrote:
| Exactly, I'd love to see some proper proof other than
| "the parent company owns a residential proxy service"
| internetter wrote:
| Honestly, "the parent company owns a residential proxy
| service" is more than enough to deter me from the
| product.
| internetter wrote:
| I didn't even read the medium article, only the first
| one. That's what I quoted from. I agree, investigating
| traffic would be an excellent idea, but I don't intend on
| putting my credit card into nord's sketchy site (they
| apparently don't accept paypal)
| KomoD wrote:
| They do accept paypal, I just checked their site.
|
| Credit or debit card, Klarna, PayPal, Google Pay,
| Cryptocurrencies
| internetter wrote:
| Where? I'm presented with "Credit or debit" (direct
| input), AmazonPay, ACH Transfer, and Crypto
| https://imgur.com/G4j1DB8
| KomoD wrote:
| Maybe possible it differs by country then:
|
| https://i.imgur.com/fTtdOfR.png
| internetter wrote:
| I always thought nord seemed incredibly sketchy. Thanks
| for the confirmation.
| wswope wrote:
| It's not "well-known"- because your links don't say what
| you're claiming they do, and this is a conspiracy theory
| that's been shut down on here a thousand times before.
|
| https://news.ycombinator.com/item?id=22532682
|
| NordVPN used residential proxies at one point to enable
| access to Disney+ and other streaming services; that's a
| world apart from hijacking end-user connections.
|
| They've got an open source client. Where's the code
| that's turning end users into endpoints?
|
| https://github.com/NordSecurity/nordvpn-linux
| internetter wrote:
| > NordVPN used residential proxies at one point to enable
| access to Disney+ and other streaming services
|
| I'm sorry but that's incredibly sketchy
| jug wrote:
| It really is of course, but I can honestly see them
| resort to this only to be able to offer a competitive
| edge because when it all comes around, this stuff is what
| many use VPN for rather than privacy. As streaming sites
| keep clamping down on VPN providers, the low hanging
| fruits of dodging via mere national IP addresses are
| blacklisted by them and these providers need to go even
| further to fool them and compete.
|
| But yes, it's also sketchy with the other implications
| and all, and not the least what kind of traffic that
| people want to hide that you're unknowingly a proxy to!
| Phemist wrote:
| https://github.com/NordSecurity/nordvpn-
| linux/tree/main/mesh...
|
| The standard linux vpn client clearly has some exitnode
| capabilities.
| KomoD wrote:
| That's for Meshnet: https://nordvpn.com/meshnet/
| internetter wrote:
| Oh interesting. Is that tailscale but worse?
| sim7c00 wrote:
| i think users in a vpn dont expect other users traffic
| being redirected over their systems, even if its just to
| enable access to some streaming services... or are
| residential proxies systems in residential ranges that
| are used as proxies, but actually part of nord vpn infra,
| rather than its users?? (sorry i dont wanna read all the
| code, and am a bit confused)
| wswope wrote:
| It's the latter case; Nord used a third-party residential
| proxy service that they sent traffic through, but there's
| no serious evidence that they used their own users as
| proxy nodes or endpoints.
| klelatti wrote:
| Gosh.
|
| "We are a market-leading web intelligence collection
| platform, driven by the highest business ethics"
|
| I think that's a bit debatable!
| greyface- wrote:
| I own some IPv4 space and get constant spam from these
| companies with pitches like "monetize your IP addresses".
| It's funny how upset they get when you respond and use the
| word "botnet" to describe their operation, or suggest that
| the traffic they generate is illegitimate.
| klelatti wrote:
| I think it's known as 'touching a nerve'!
| sokoloff wrote:
| It's difficult to get a person to understand something
| when their income depends on them not understanding it.
| --Upton Sinclair
| sim7c00 wrote:
| business ethics. these words seem contradictory haha. not
| to say theres no ethical businesses, but it just sounds
| funny to me :D
| earleybird wrote:
| There are no ethical businesses. A lawn mower can give
| you a nicely manicured lawn or a trip to the ER. The lawn
| mower doesn't care.
| friendly_wizard wrote:
| Reminds me of Bryan Cantrill's Fork Yeah talk about the
| acquisition of Sun by Oracle
| sim7c00 wrote:
| this seems a bit besides my point, but perhaps i am not
| as deeply into this topic as you. how about the baker at
| the end of the street. making bread for people, selling
| it at a profit margin which just allows him/her to
| continue their work as a non super rich person. (replace
| baker with barber or whatever). i dont see this as
| unethical. am i wrong?
| 13th_yc_acct wrote:
| Former baker here. There are still plenty of ethical
| dilemmas in baking: fossil fuel consumption in
| transportation of ingredients, factory farming of
| ingredients, if you are employing anybody you are paying
| them an unfair wage in order to turn a profit. There are
| inescapable ethical dilemmas of participating in
| capitalism. Success always comes at the expense of
| someone else. If you are a small business then you are
| less accountable to laws designed to protect workers than
| a multinational corporation.
| thrashh wrote:
| But if you take that point of view, there are ethical
| dilemmas in pretty much everything.
|
| Which then makes this viewpoint not that useful at all.
|
| And this issue already been long summed up as "nothing is
| free in life."
| II2II wrote:
| The lawn mower is not a business. It is a piece of
| machinery. The business that designed the lawn mower can
| ensure the design is safe, at least within reason,
| through the proper engineering of the product and by
| instructing its users on the proper use and maintenance
| of the machine. There is nothing inherently unethical
| about manufacturing lawnmowers unless you consider the
| practice of mowing lawns unethical (which there are
| legitimate arguments for, but I don't think that was your
| point).
| moffkalast wrote:
| It would take quite a while to drive to the ER on a lawn
| mower. You're supposed to call the ambulance /s
| sim7c00 wrote:
| hola redirects things like web scrapers over their infra. once
| worked for a lead generation startup (i am so sorry..) where
| one of their services reached out to ask if i wanted to send
| traffic over their network. sad this is some legal loophole.
| (sad for them and probarbly us, we didnt do scraping :)))
| sim7c00 wrote:
| for ppl wanting a vpn which does not do this. at the monthly rate
| things like nord charge, u can rent a server, install openvpn amd
| be free of this stuff. ofcourse, the server is yours and tracible
| to you, but still it has all the other benefits which i think
| normal vpn users crave. (visit plaintext sites over insecure wifi
| but no eves on the line etc.). its fairly easy to set up and
| definitely you wont be part of a traffic redirection network, for
| whatever purposes the redirection is. maybe u can connect ur
| friends too and be a good samartian :)
| ipython wrote:
| Problem is that many services denylist "data center" ip ranges,
| making these vpns neigh unusable for things like watching
| Netflix or in some cases even logging into eBay and such.
|
| I've run a private vpn for extended family off of my
| residential connection for this reason. It helps them and me.
| mindslight wrote:
| I do most of my every day browsing and online shopping from
| data center IPs and have never had a problem with eBay or
| really that many sites at all. Some for sure (looking at you,
| "Open" AI), but for the most part it's fine.
| scarface_74 wrote:
| Like another poster said, when was the last time you visited a
| http insecure website?
|
| On another note, one of the first firewall rules that many of
| my clients ask for is to block cloud servers IP ranges.
| lxgr wrote:
| > visit plaintext sites over insecure wifi but no eves on the
| line etc.
|
| Not a rhetorical question: When is the last time you've visited
| a non-HTTPs website?
|
| > you wont be part of a traffic redirection network
|
| These are also only a concern for HTTP.
|
| Other common use cases for VPNs include geo-unblocking, and
| hosting IP ranges are commonly blocked by streaming sites.
|
| I can't think of a good reason to use a VPS for a VPN anymore
| these days, to be honest - the privacy/security landscape has
| changed dramatically over the last few years.
|
| You probably get better privacy these days on public
| (free/unauthenticated) Wi-Fi than you would on many "free" or
| paid VPN services.
| fragmede wrote:
| I don't get why people buy cars anymore when there's Lyft and
| Uber. The transportation landscape has changed dramatically
| over the last few years.
| girvo wrote:
| I know you're being facetious, but, that's not the
| sarcastic counter argument you think it is. I unironically
| don't own a car anymore because I have an electric scooter
| and Uber/Didi to fill in where the scooter is (rarely) not
| enough. The landscape really _has_ changed.
| lxgr wrote:
| Seems like you misread my comment as "there is no need for
| VPNs anymore these days". I'm merely saying that I don't
| see the use case for the "self-hosted VPN server" model
| anymore.
|
| Need to bypass geoblocking, e.g. when traveling? You'll
| likely need a residential IP -> use your own network at
| home (e.g. Tailscale or a self-setup solution) or one of
| the shady "residential IP broker" utilizing commercial VPNs
| out there.
|
| Want privacy (from visited sites' trackers)? Your VPS is
| definitely not that: The IP is static, and if you send your
| entire traffic through it, this is much more
| fingerprintable than even residential web usage. -> Use a
| commercial VPN that you can trust (I don't know many) or
| something like iCloud Private Relay or TOR.
|
| Want privacy from your _ISP_ tracking you (including public
| Wi-Fis), and _only_ that? Then, yes, a VPS-based VPN might
| be for you (or any of the commercial VPNs out there).
|
| But my claim is that the last one (and only that) is
| probably not the biggest concern of most people.
| account-5 wrote:
| I love this sort of thing. I'd love to get into this sort of
| research. No idea where to start to either acquire the skills or
| once acquired target the right systems/apps. I can still dream
| though.
|
| Any pointers on where you'd start would be appreciated though.
| jeroenhd wrote:
| In this case, the whole process was just "let's see what my
| device is doing" and then digging until the unexplained is
| explained. Your devices are doing lots of weird things, talking
| to tracking servers, fetching data from unexpected places, you
| just need to take a look and start wondering!
|
| Running Wireshark or an equivalent smartphone app is easy.
| Understanding it probably a lot less so, but network protocols
| can be googled. One trick to not get overwhelmed too much is to
| not use the device you're analyzing too much so you only
| collect background traffic. Another is to filter out traffic
| you can't do much with. A lot of traffic is encrypted by TLS
| these days, but a lot of data is still visible, like in this
| case a random domain that you shouldn't be seeing. However,
| except for that very first TLS packet, you won't be able to see
| anything interesting in the rest of the stream, which can be
| gigabytes in size!
|
| The real challenge for network analysis is that 99% of the
| time, your network is not doing anything strange (or at least
| interesting). If you want to find something, you can try
| seeking out sketchy apps (free VPNs are a nice target, they're
| almost always shady) but there's no guarantee that you'll find
| anything. Or you can dive deeper if you think there's more to
| be found.
|
| In the case of Android apps, those are often easily decompiled
| into either VM byte code (smali) or even obfuscated Java code.
| apktool, jd-gui, or ghidra can usually get some kind of
| readable-ish code out of an app. There's also an excellent
| online APK decompiler if you trust that. Grabbing the APK is
| quite easy, you can find apps that do this or otherwise you can
| use Android's debugging tools to pull the app off your phone.
|
| Depending on how obfuscated your target is, complete reversing
| may be difficult. You can often take shortcuts, though, like
| looking for interesting strings or setting files.
|
| Another nice trick to employ when reversing applications is to
| run Frida. Frida is a toolkit for injecting arbitrary code into
| another process. You can either inject Frida into an APK you've
| downloaded, or if you've got a rooted device run it against any
| unmodified app. It works on other platforms as well! With Frida
| you can write Javascript in the Chrome dev tools to control the
| app, list objects and functions, call random APIs, whatever you
| need, all without decompiling.
|
| Another trick I like to employ is using mitmproxy to man-in-
| the-middle apps so you see every HTTPS call they make, the
| responses, and you can even mess with the traffic (change
| responses, alter requests, you name it). The tricky part is to
| get the app to accept your TLS interception, but there are
| Frida scripts that will disable validation of TLS certificates
| in all manner of apps, giving you the ability to inspect them.
|
| That last part can also be very useful if you're reverse
| engineering an API. I've written a blog post about a Norton VPN
| where I did exactly that, not because Norton was being shady,
| but because I wanted to use the OpenVPN config file on my
| laptop and they didn't provide me with the necessary files
| (even though they totally could have).
| cloudripper wrote:
| Would love to read your blog post if you're willing to share.
| jeroenhd wrote:
| Here you go: https://blog.jeroenhd.nl/article/getting-
| norton-secure-vpn-t...
|
| Not the best writing, it was mostly a recap of the things I
| did for myself if I ever needed to fetch that file again,
| but I think the core concepts may still be useful.
| gremlinsinc wrote:
| I'd literally start any training by asking chatGPT, probably
| using phind to ensure it's got more up to date info. I wouldn't
| trust everything it says, but it can help you maybe find your
| weaknesses on a topic and formulate a self education plan.
| raybb wrote:
| I'd recommend watching liveoverflow on YouTube. He has great
| videos about reverse engineering programs and is very beginner
| friendly.
| dandongus wrote:
| Hilarious conclusion from the author. It's almost certainly not
| the case that the owners of this service are using it to 'DDoS'
| targets, rather it's much more likely they are using your device
| to host a proxy server and then selling access to some
| 'residential proxy reseller'.
|
| On the other side of that, some random Joe has probably purchased
| access to a set of these 'residential proxies' and is using them
| to scrape flight data from the airline site the article author
| noticed, with some of those requests being sent over the author's
| connection.
|
| Many 'free vpn' and 'free proxy' apps engage in this behavior,
| you may proxy your requests via their connection, but they also
| proxy their requests via yours, generally reselling that access
| to someone who finds your IP address to be of value to them due
| to the fact that it's not a datacenter address.
|
| It's certainly questionable to straight up unethical either way,
| especially so if the service doesn't disclose to you that they're
| doing that, but on the other hand I find the author's DDoS
| conclusion to be so contrived and out of touch with reality that
| I had to write this comment.
| badcarbine wrote:
| Written by AI
| homero wrote:
| All free VPNs are malware
| ctippett wrote:
| Excellent sleuthing! I sometimes use Proxyman to sniff the
| traffic that my phone or computer is using - it's fascinating
| seeing what and how different apps communicate with their backend
| servers. I haven't come across anything quite so nefarious, but
| its interesting all the same.
| esafak wrote:
| Don't leave us hanging! Whodunit?
| eddythompson80 wrote:
| What do you mean? Swing VPN is a "free VPN" service that's
| actually operating a botnet. Swing VPN dunit.
| esafak wrote:
| I doubt somebody started or paid a VPN to strike Turkmenistan
| Airlines for shits and giggles. I suspect there is more to
| the story.
| sim7c00 wrote:
| its not clear its ddos, though it might be, as one
| commenter suggested it might be ad revenue or so. maybe
| they hit themselves? :D. i bet we will never know.
| eddythompson80 wrote:
| No body starts a botnet to hit one target. Botnets are
| usually for hire. You find a vulnerability, establish as
| many C&C devices as you can, then advertise online that you
| have a botnet capable of XYZ, and you get contracts to hit
| particular endpoints.
|
| In this example, Swing VPN is offering a "free VPN"
| service, but they actually pay for it with botnet
| contracts.
| esafak wrote:
| Right. I am interested in who would pay to strike
| Turmenistan Airlines. It's a target with no apparent
| value.
| eddythompson80 wrote:
| eh, we don't really know what all "Turmenistan Airlines"
| website actually does. It's a government agency after
| all, and it could be used to hide all sorts of online
| activity for some other government agencies. It could
| also just be a test contract, or an internal botnet test
| and OP just happen to catch that one.
| jeroenhd wrote:
| Getting a target DDoS'd is cheap, especially if that
| target resides in a country with not that great digital
| infrastructure.
|
| For twenty dollars you can take down an airline that lost
| your luggage and didn't bother trying to find it back.
| It's childish behavior, but someone is petty enough.
| Store didn't honor their warranty? Pay five dollars and
| they'll lose more money in lost sales than their refusal
| would've cost them.
|
| Sometimes it's not just petty criminals either. Extorting
| businesses with these types of attacks is all too common.
| "Pay us $x or your website will be down for months" is an
| easy threat to make, especially if you can take down a
| business for a fraction of their lost revenue. Attack
| twenty or more companies, wait for one of them to pay out
| and you've made yourself a huge chunk of cash.
|
| There are all kinds of reasons to hire these botnets.
| Developing these botnets isn't very hard either,
| especially if you can sneak a trojan into a useful
| software library or hack someone else's library. You just
| have to think real scummy.
| CharlesW wrote:
| Often, the VPN maker is different than the botnet provider.
|
| https://scrapestack.com/faq: _Residential ( "premium")
| proxies provide IP addresses that are connected to real
| residential addresses and devices, which makes them much less
| likely to get blocked while scraping the web. We highly
| recommend using residential proxies for your web scraping
| needs as they make it easy to work around geo-blocked content
| and harvest data at scale._
| zidoo wrote:
| free vpn == click highjacking on affiliate networks. but botnets
| will work too.
| gurchik wrote:
| > After app startup, language selection and acceptance of privacy
| policy the app starts to figure out 'real IP address' by doing a
| request to both google and bing with query "what+is+my+ip". My
| guess is that the app just parses the returned HTML and figures
| IP from those responses.
|
| Aren't there free APIs to get your IP address, like ifconfig.me?
| This sounds like more work but probably doesn't have any chance
| of running into rate limits.
| judge2020 wrote:
| Every cloudflare site responds with `ip=x.x.x.x` at /cdn-
| cgi/trace
|
| https://troyhunt.com/cdn-cgi/trace
| blibble wrote:
| I wonder what else they're serving up from my domains using
| my name?
| ignoramous wrote:
| I often use _cdn-cgi /trace_ endpoints to do latency
| measurements, sync time, geo-locate; real handy.
| raverbashing wrote:
| Wow very cool
|
| I wonder what's the 'sliver' property
| jgrahamc wrote:
| It's information that's only really useful to us. It refers
| to a set of machines running the same version of our
| software. Part of how we do progressive rollouts of
| software.
| raverbashing wrote:
| Thanks for answering!
| jaen wrote:
| Given that their "Command & Control" server already knows the
| user's IP anyway, this might be a disguise, with the actual
| intention being to check if Google is working from that IP, as
| these shady VPNs are often used to abuse the client as a proxy
| for SERP requests, to bypass IP-based search engine query
| limits (for SEO etc.).
| eddythompson80 wrote:
| It's a lot easier to hide your breadcrumbs if you're just
| calling google.com or bing.com. Those are services that get
| billions of hits an hour and no body cares to scan or correlate
| your calls to them (other than Google and Microsoft of course)
| starttoaster wrote:
| There are APIs, and in my opinion, just falling back to a
| different HTTP API would probably be easier than parsing HTML.
| Though I use one of those APIs for a dynamic DNS client I
| built, and I've never actually seen a rate limit on them, even
| if I'm calling them every minute. I appreciate you showing them
| the benefit of the doubt here, but in my opinion the more
| likely answer is just that the person who did this is just
| underinformed on the state of quality of life-improving public
| APIs.
| nerdponx wrote:
| It's also borderline trivial to set up your own on a VPS with
| Nginx.
| OJFord wrote:
| Yeah, this and countless others that nobody's ever heard of
| except through a YouTube advert making questionable claims with a
| questionable definition of 'VPN'.
|
| (To answer the inevitable: Mullvad and Proton are the legitimate
| offerings that spring to mind.)
| dandongus wrote:
| Seems like a hilarious conclusion to me.
| jsnell wrote:
| Great writeup!
|
| > I have to give props for Swing VPN teams creativity to bypass
| security measure of Apple appstore and Google PlayStore but it is
| sad that Apple/Google security systems does not have some
| automated ways to detect these types of actions.
|
| It's a tricky problem. The amount of attack traffic from an
| infected device is negligible and very little of it is visible to
| the operating system due to TLS. It's also presumably
| intermittent (there's no point in keeping an attack ongoing
| forever; you stop when the site has found a way to defend
| itself), so just running the app for a while as part of
| validating an update might not show any suspicious behavior. The
| suspicious part is in the configurations downloaded from the CnC
| servers, not packaged with the app, so static analysis won't
| help.
|
| The only reliable option for catching these proactively thatI can
| think of would be to use some kind of aggregate telemetry from
| all the app installations combined, but that'd be incredibly
| scary both in terms of privacy and the blast radius when
| something goes wrong.
|
| > Currently in the beginning of June 2023 it has over 5 million
| install base on android
|
| That's not really a reliable number. It's more like "the number
| of distinct users who had this app installed at some point".
| AFAIK it doesn't get decremented when somebody uninstalls the
| app, and doesn't go up when somebody installs it for a second
| time on a new device. Those factors might cancel out, might not.
| [deleted]
| mike_hock wrote:
| > doing a request to both google and bing with query
| "what+is+my+ip". My guess is that the app just parses the
| returned HTML and figures IP from those responses.
|
| lol
| Waterluvian wrote:
| This is interesting. Does this make it harder to
| filter/blacklist once discovered? Or is this just incompetence?
|
| If I had a known user agent doing a curl to icanhazip or
| whatnot, could that eventually be blacklisted?
| mike_hock wrote:
| I don't get it. Where does the VPN traffic go through? If
| they can operate a gateway, then surely they can provide
| their own endpoints for IP discovery (and also C&C for that
| matter).
|
| Until it's discovered, traffic to their own servers would
| appear the most innocuous. After that, the app gets kicked
| off the store and the server doesn't matter.
|
| Unless it doesn't actually do any VPN and it's all just a
| farce, lol.
___________________________________________________________________
(page generated 2023-06-18 23:00 UTC)