[HN Gopher] Swing VPN app is a DDoS botnet ___________________________________________________________________ Swing VPN app is a DDoS botnet Author : campuscodi Score : 372 points Date : 2023-06-18 18:09 UTC (4 hours ago) (HTM) web link (lecromee.github.io) (TXT) w3m dump (lecromee.github.io) | womitt wrote: | Maybe not ddos just pushing up view counts for money | pie2pie wrote: | [dead] | radicaldreamer wrote: | VPNs in general tend to be super shady. | | Many vendors surreptitiously use user nodes as exit nodes and | route traffic in suspect ways. | | VPN software stack is surely a major target for state and non- | state actors to monitor and exploit. | internetter wrote: | Hola VPN, for instance, is famous for using the extensions as | "exit nodes" | salad-tycoon wrote: | So does this mean then that if someone appears to be using my | IP to do illegal thing x y z police/lawyers would come at me | first? | | If so, would simply having an account and exe file be enough to | argue "my wifi is open, I didn't download all that XYZ!" | eddythompson80 wrote: | By the time the police comes at you because of your home IP, | they usually have collected a lot more evidence than that. | That's why torrenting from your home without a VPN usually | just results in a letter from your ISP saying "we know what | you're doing. cut it out". | | No body has ever been convicted with their home IP as the | only evidence. | greyface- wrote: | https://www.npr.org/sections/alltechconsidered/2016/04/04/4 | 7... | | Convicted? No. Raided? Yes. | eddythompson80 wrote: | Of course, you get raided most likely once they have | sufficient evidence that they'll be able to collect | incriminating evidence. Your IP might be enough to get a | warrant, but they'll need a lot more to build a case in | court. Hence the raid, confiscation of servers, etc. | [deleted] | jjbinx007 wrote: | I think one major problem is VPNs are advertised or promoted as | if they're synonymous with antivirus software. | | I partially blame the myriad YouTubers who happily push these | to their fans to supposedly protect their privacy and protect | their computers from harm. | gurchik wrote: | Until recently, eyeglass manufacturers were marketing blue | light filtered lenses (which don't even filter much blue | light anyway) as a way to prevent macular degeneration, until | regulators shut it down. VPN providers shouldn't be allowed | to claim that VPNs protect you from malware or that they do a | better job at protecting data in transit than vanilla SSL. | girvo wrote: | They still push them at the sales end of optometrists here | in Australia. My optometrist partner always gives them | death stares whenever they try to push that blue light | filtering scam when I'm getting new lenses (like I did a | week ago) | kaplun wrote: | Hey, I have such glasses, and here in France at least they | are still marketed. Do you have any reference pointing out | the fact that they do not work? (Are they even worse than | regular glasses?) | gurchik wrote: | > they are still marketed | | They're still marketed as a way to prevent macular | degeneration? | KnobbleMcKnees wrote: | Any source on the blue light filtering not working? I | didn't get the filter on my latest glasses and feel like my | eyes fatigue more quickly, but I'm aware that could just be | aging or a change in monitors, lighting, etc. which have | occurred since my last subscription update. | gurchik wrote: | The lenses I'm talking about are the ones that are | completely or nearly completely clear. Here's a photo of | the "Everyday" blue light lenses on Zenni Optical as an | example. They are marketed as blocking 16x more blue | light than normal lenses. https://static.zennioptical.com | /marketing/campaign/blokz/202... | | How could it be blocking any significant amount of light | in the visible spectrum and still be clear? I'm sure the | "16x" claim is true, but normal lenses block a small | amount of light. 16 times nearly zero is still nearly | zero. It's just a marketing gimmick. | | Zenni Optical also sells lenses which are orange. I'm | sure that actually does block a significant amount of | blue light, but I also know from my experience visiting | optician offices that many consumers are buying the first | kind. | | I'm aware of studies which link blue light to eye fatigue | and disruption of the circadian rhythm but I'm skeptical | that blocking 5% of blue light or whatever could have a | perceptible medical effect. | | With that being said, I don't feel strongly about claims | like the 16x thing if its actually true (just a bit | misleading). My comment above was mostly about the claims | that they prevent macular degeneration which there is no | evidence for. And regulators are right to jump in before | it gets too bad, otherwise why stop at macular | degeneration? Just say your lenses prevent hair loss and | skin cancer while you're at it. | adra wrote: | As Linus (LTT) mentioned a while back, VPNs are an insanely | profitable cash cow with super low bars of entry into the new | business, but it sits at a super legally precarious position | that could jeopardize major legal and ethical challenges. | | I agree though that a lot of YouTubers have grown fat and | comfortable with VPN providers led largely because of the | financial incentives over their desire to protect fans. | seanp2k2 wrote: | Is there a name for the phenomenon when something is over- | advertised to the point where potential consumers become | less interested with more advertising? I've reached that | point with NordVPN, SquareSpace, and a few others, but | especially any pharmaceuticals that get TV ads (not that | they're ever relevant to any health concerns for anyone in | our house). | adra wrote: | Anecdote to the pharma comment, I recently looked up what | happened with the CW because it felt like the network was | falling into a pit recently. It turns out the network got | "trimmed down for aquisition" which got swooped up by a | cable providers. Apparently the average viewer of CW on | terrestrial cable is 58!? (Taken from Wikipedia for what | it's worth). If 58 is the average viewer for CW, just how | old people are trending for less youth oriented networks. | I makes a lot more sense to see a bunch of drug | commercials (with their very high ad rates) shoved down | your throat. | fullspectrumdev wrote: | Pharma ads are not permitted here, so I sometimes look em | up on the YouTube's for amusement. | supriyo-biswas wrote: | Law of diminishing marginal utility? | jangxx wrote: | Does this also work if you're using the generic OpenVPN client | to connect to the VPN? I've used a bunch of different VPN | providers over the years, but they usually just offer an | OpenVPN configuration that you can use with the normal client. | I'm not aware of this also allowing them to send traffic the | other way, but maybe it does? | thrdbndndn wrote: | I'm not sure if it's appropriate to give unsolicited suggestions | on the writing, but I believe the author could improve the | conciseness. It reads a bit verbose in places where certain | information is repeated multiple times, such as the mention of | configurations were retrieved from GitHub and Google Drive sites. | LordShredda wrote: | Writing technical articles is hard. They're usually research | note dumps or technical jargon mixed in with some english | words. | pie2pie wrote: | [dead] | throwaway8_56 wrote: | > we probably can assume that this app is trying to attack some | government sites of Turkmenistan. It is hard for me to imagine | why would anybody do that | | I find this very odd that they would target those websites. What | would be the gain of taking down those websites _for anyone_. I | doubt that the reason is political. | | P.S. Turkmenistan is probably the worst country when it comes to | free internet. Almost all IP addresses are blocked, with very few | websites (mostly google-owned) being reachable. The entire | population is desperate for VPN (preferrably free). They are not | educated about malwares, or anything about security, so they will | download anything that promises free internet. | dclowd9901 wrote: | Couldn't it just be old fashioned blackmail? Attack the site | and request money to turn off the botnet? It might be a bad | assumption on my part but it occurs to me that maybe Turkey | doesn't have a lot of pull to investigate cyberattacks across | country lines so businesses in that country might be good | targets to not get blowback? | throwaway8_56 wrote: | Turkmenistan certainly has no capacity for investigating a | cyber attack for sure. But they are have no problem with | those websites being down. Internet usage in the country is | very low, and those websites are down the most of the time | anyway. | RobotToaster wrote: | Turkmenistan is part of China's BRI, so it could be any state | that wants to see that fail? | sim7c00 wrote: | nice findings, firstly, thanks for looking into it and sharing. i | wonder how they have 3 million installbase. do you think there | are some (unwitting) influencers, streamers etc. paid to promote | this? 3 million is plenty, especially since there are a lot of | heavily promoted vpns out there bidding for installs | ghoshbishakh wrote: | Installing a client always opens up these risks. That is why I am | building a clientless tunneling service ( well technically you | bring your own client ) - https://pinggy.io which is similar to | ngrok but you can connect using your own ssh client such as | openssh. | lxgr wrote: | This article is about a VPN service. | | How does a clientless ngrok alternative help here (which | tunnels _server_ traffic), and why is it even necessary given | that many OSes support at least one VPN protocol natively? | lionkor wrote: | Been a happy Mullvad.net customer for a while now, partially | because it allows just grabbing a wireguard or openvln config, | no client needed | pfooti wrote: | So is hola vpn: | https://www.theregister.com/2015/06/10/hola_gets_holes_poked... | | At this point one must assume that any "free" vpn software is | free because it uses its install base for DDoS / other traffic | abuse. | cookiengineer wrote: | Once you dig into how the Kape Technologies holding is linked | to the same people of the NSO Group scandals, well, good luck | finding a VPN that didn't sell out their customers. | moffkalast wrote: | Yeah, Nord is for example infamous for pimping out their users | as scraping proxies: https://oxylabs.io/pricing/residential- | proxy-pool | codedokode wrote: | And why is there need for scraping proxies? Because greedy | capitalists do not allow to scrape their sites. | dewey wrote: | It's not uncommon that companies ask other companies to | scrape their site as they don't have the tech resources to | build an API / integration for whatever they want to have. | kortilla wrote: | It has nothing to do with greedy capitalists. I don't want | anyone scraping my site at all. I don't charge anything for | it. | codedokode wrote: | Let's take as an example a website which compares prices | in different stores and shows which has the cheapest | price. You can do it manually, but using automation it is | faster and more convenient. Is doesn't make sense to read | websites manually when you can use a script or a language | model. | | Obviously for consumer it is better to be able to scrape | sites. It is only those store owners (greedy capitalists) | who do not want consumer to know that their prices are | inflated. | | Another thing is looking for some information, it is | better just to have a language model go around the web | and summarize the data for you rather than read someone's | site with white letters on black background and weird | font. | sim7c00 wrote: | if u run a small site and ppl scrape it aggresively that | can rack up ur bills.depending on where u host ur site. | ofcourse not an issue for billion dollar companies, but a | line needs to be drawn somewhere. also, whats the purpose | of the scraping? usually its greedy capatalist purposes, | so.then ur point is a bit moot, dont u think? | codedokode wrote: | Let's say someone makes a site that compares prices in | different stores. It needs a lot of scraping, but is | useful for consumers. Obviously, the only ones who are | against it will be the store owners. | noAnswer wrote: | Unless you go full blown DoS you will not be able to | scrap 100.000 of articles multiple times a day. Geizhals | for example compares prices every 10 minutes. It does | this by working with the stores (they provide a price | list) not against them. | | If a store owner doesn't want the reach, it's their loss. | IMHO no need for a DoS attack. | opportune wrote: | Sites have a right to try to block scrapers. Scraping can | incur significant costs and users may not want it - as a | LinkedIn user, I want my profile to be indexed and able to | viewed without logging in from the Web, but I also don't | want my entire profile scraped and resold/rehosted for | marketing. It's also often the case that the website put in | significant working acquiring/curating/cleaning their data, | and they are being scraped by other commercial entities | trying to just resell it (blocking that isn't being greedy, | the data is basically being stolen for other commercial | entities). So it's not just being greedy. | | Individuals also, IMO, have a right to sell access to their | network for scraping-via-proxy. But they should be prepared | to deal with the consequences, like a potential IP ban. | Most people using VPNs that resell their residential | network for scraping probably don't know that's happening, | and many scrapers are indeed doing something bad, which is | why there is a disdain for the practice. | withinboredom wrote: | I guess secret shoppers are illegal too. | pests wrote: | Secret shoppers are paid by the company in question. How | is that in any way relevant? | dhdhhdd wrote: | Nord offers OpenVPN configs. Those configs don't seem to | allow nat/routing from Nord VPN network? | | I never looked into that, but always used Nord VPN via the | official OpenVPN client. | noizejoy wrote: | > While the lawsuit names Lithuania-based Teso LT, UAB as a | defendant rather than "Tesonet", this is as a result of a | corporate restructuring several years ago. Aside from its | link to Oxylabs, Tesonet also advertises itself as a creator | and investor of a number of online services, including | NordVPN, Hostinger and others.[0] | | [0] https://www.techradar.com/news/judge-orders-mediation- | after-... | jvanderbot wrote: | I don't know why, but I did not expect a completely public, | normal looking pricing page for something this nefarious- | seeming. | sim7c00 wrote: | luminati.io, similar for hola. guess they rebranded now as | that one redirects :p but its still the same. this should be | illegal really... | KomoD wrote: | Nord as in NordVPN? Source in that case please? | moffkalast wrote: | https://www.techradar.com/news/judge-orders-mediation- | after-... | | http://web.archive.org/web/20191128170008/https://medium.co | m... | | It's pretty well known. | KomoD wrote: | Skimmed it and I don't see anything about _Nord_ making | _their_ users into proxies, second link is questionable | (since its deleted and you linked to an archive) | internetter wrote: | > Aside from its link to Oxylabs, Tesonet also advertises | itself as a creator and investor of a number of online | services, including NordVPN, Hostinger and others. | | Where else would they get the 100 million users? | KomoD wrote: | Yeah I saw that part but it does not mean they are using | the users from NordVPN for Oxylabs, there's nothing | explicitly showing so. | girvo wrote: | I'll be honest, the fact that they're directly linked to | Oxylabs alone is enough to deter me. I can't see how else | they'd get 100 million+ residential customers on Oxylabs | side... sure, I'm not going to go around claiming I have | direct proof, but that's more than enough for me to not | use their services. | wswope wrote: | Why don't you try installing Nord in a VM and monitoring | traffic yourself, instead of taking low-quality blogspam | Medium articles at face value? | | If they're truly hijacking end user clients, why don't | you point to the section of their open source client | that's responsible for that? | | https://github.com/NordSecurity/nordvpn-linux | | Easy enough to prove. | KomoD wrote: | Exactly, I'd love to see some proper proof other than | "the parent company owns a residential proxy service" | internetter wrote: | Honestly, "the parent company owns a residential proxy | service" is more than enough to deter me from the | product. | internetter wrote: | I didn't even read the medium article, only the first | one. That's what I quoted from. I agree, investigating | traffic would be an excellent idea, but I don't intend on | putting my credit card into nord's sketchy site (they | apparently don't accept paypal) | KomoD wrote: | They do accept paypal, I just checked their site. | | Credit or debit card, Klarna, PayPal, Google Pay, | Cryptocurrencies | internetter wrote: | Where? I'm presented with "Credit or debit" (direct | input), AmazonPay, ACH Transfer, and Crypto | https://imgur.com/G4j1DB8 | KomoD wrote: | Maybe possible it differs by country then: | | https://i.imgur.com/fTtdOfR.png | internetter wrote: | I always thought nord seemed incredibly sketchy. Thanks | for the confirmation. | wswope wrote: | It's not "well-known"- because your links don't say what | you're claiming they do, and this is a conspiracy theory | that's been shut down on here a thousand times before. | | https://news.ycombinator.com/item?id=22532682 | | NordVPN used residential proxies at one point to enable | access to Disney+ and other streaming services; that's a | world apart from hijacking end-user connections. | | They've got an open source client. Where's the code | that's turning end users into endpoints? | | https://github.com/NordSecurity/nordvpn-linux | internetter wrote: | > NordVPN used residential proxies at one point to enable | access to Disney+ and other streaming services | | I'm sorry but that's incredibly sketchy | jug wrote: | It really is of course, but I can honestly see them | resort to this only to be able to offer a competitive | edge because when it all comes around, this stuff is what | many use VPN for rather than privacy. As streaming sites | keep clamping down on VPN providers, the low hanging | fruits of dodging via mere national IP addresses are | blacklisted by them and these providers need to go even | further to fool them and compete. | | But yes, it's also sketchy with the other implications | and all, and not the least what kind of traffic that | people want to hide that you're unknowingly a proxy to! | Phemist wrote: | https://github.com/NordSecurity/nordvpn- | linux/tree/main/mesh... | | The standard linux vpn client clearly has some exitnode | capabilities. | KomoD wrote: | That's for Meshnet: https://nordvpn.com/meshnet/ | internetter wrote: | Oh interesting. Is that tailscale but worse? | sim7c00 wrote: | i think users in a vpn dont expect other users traffic | being redirected over their systems, even if its just to | enable access to some streaming services... or are | residential proxies systems in residential ranges that | are used as proxies, but actually part of nord vpn infra, | rather than its users?? (sorry i dont wanna read all the | code, and am a bit confused) | wswope wrote: | It's the latter case; Nord used a third-party residential | proxy service that they sent traffic through, but there's | no serious evidence that they used their own users as | proxy nodes or endpoints. | klelatti wrote: | Gosh. | | "We are a market-leading web intelligence collection | platform, driven by the highest business ethics" | | I think that's a bit debatable! | greyface- wrote: | I own some IPv4 space and get constant spam from these | companies with pitches like "monetize your IP addresses". | It's funny how upset they get when you respond and use the | word "botnet" to describe their operation, or suggest that | the traffic they generate is illegitimate. | klelatti wrote: | I think it's known as 'touching a nerve'! | sokoloff wrote: | It's difficult to get a person to understand something | when their income depends on them not understanding it. | --Upton Sinclair | sim7c00 wrote: | business ethics. these words seem contradictory haha. not | to say theres no ethical businesses, but it just sounds | funny to me :D | earleybird wrote: | There are no ethical businesses. A lawn mower can give | you a nicely manicured lawn or a trip to the ER. The lawn | mower doesn't care. | friendly_wizard wrote: | Reminds me of Bryan Cantrill's Fork Yeah talk about the | acquisition of Sun by Oracle | sim7c00 wrote: | this seems a bit besides my point, but perhaps i am not | as deeply into this topic as you. how about the baker at | the end of the street. making bread for people, selling | it at a profit margin which just allows him/her to | continue their work as a non super rich person. (replace | baker with barber or whatever). i dont see this as | unethical. am i wrong? | 13th_yc_acct wrote: | Former baker here. There are still plenty of ethical | dilemmas in baking: fossil fuel consumption in | transportation of ingredients, factory farming of | ingredients, if you are employing anybody you are paying | them an unfair wage in order to turn a profit. There are | inescapable ethical dilemmas of participating in | capitalism. Success always comes at the expense of | someone else. If you are a small business then you are | less accountable to laws designed to protect workers than | a multinational corporation. | thrashh wrote: | But if you take that point of view, there are ethical | dilemmas in pretty much everything. | | Which then makes this viewpoint not that useful at all. | | And this issue already been long summed up as "nothing is | free in life." | II2II wrote: | The lawn mower is not a business. It is a piece of | machinery. The business that designed the lawn mower can | ensure the design is safe, at least within reason, | through the proper engineering of the product and by | instructing its users on the proper use and maintenance | of the machine. There is nothing inherently unethical | about manufacturing lawnmowers unless you consider the | practice of mowing lawns unethical (which there are | legitimate arguments for, but I don't think that was your | point). | moffkalast wrote: | It would take quite a while to drive to the ER on a lawn | mower. You're supposed to call the ambulance /s | sim7c00 wrote: | hola redirects things like web scrapers over their infra. once | worked for a lead generation startup (i am so sorry..) where | one of their services reached out to ask if i wanted to send | traffic over their network. sad this is some legal loophole. | (sad for them and probarbly us, we didnt do scraping :))) | sim7c00 wrote: | for ppl wanting a vpn which does not do this. at the monthly rate | things like nord charge, u can rent a server, install openvpn amd | be free of this stuff. ofcourse, the server is yours and tracible | to you, but still it has all the other benefits which i think | normal vpn users crave. (visit plaintext sites over insecure wifi | but no eves on the line etc.). its fairly easy to set up and | definitely you wont be part of a traffic redirection network, for | whatever purposes the redirection is. maybe u can connect ur | friends too and be a good samartian :) | ipython wrote: | Problem is that many services denylist "data center" ip ranges, | making these vpns neigh unusable for things like watching | Netflix or in some cases even logging into eBay and such. | | I've run a private vpn for extended family off of my | residential connection for this reason. It helps them and me. | mindslight wrote: | I do most of my every day browsing and online shopping from | data center IPs and have never had a problem with eBay or | really that many sites at all. Some for sure (looking at you, | "Open" AI), but for the most part it's fine. | scarface_74 wrote: | Like another poster said, when was the last time you visited a | http insecure website? | | On another note, one of the first firewall rules that many of | my clients ask for is to block cloud servers IP ranges. | lxgr wrote: | > visit plaintext sites over insecure wifi but no eves on the | line etc. | | Not a rhetorical question: When is the last time you've visited | a non-HTTPs website? | | > you wont be part of a traffic redirection network | | These are also only a concern for HTTP. | | Other common use cases for VPNs include geo-unblocking, and | hosting IP ranges are commonly blocked by streaming sites. | | I can't think of a good reason to use a VPS for a VPN anymore | these days, to be honest - the privacy/security landscape has | changed dramatically over the last few years. | | You probably get better privacy these days on public | (free/unauthenticated) Wi-Fi than you would on many "free" or | paid VPN services. | fragmede wrote: | I don't get why people buy cars anymore when there's Lyft and | Uber. The transportation landscape has changed dramatically | over the last few years. | girvo wrote: | I know you're being facetious, but, that's not the | sarcastic counter argument you think it is. I unironically | don't own a car anymore because I have an electric scooter | and Uber/Didi to fill in where the scooter is (rarely) not | enough. The landscape really _has_ changed. | lxgr wrote: | Seems like you misread my comment as "there is no need for | VPNs anymore these days". I'm merely saying that I don't | see the use case for the "self-hosted VPN server" model | anymore. | | Need to bypass geoblocking, e.g. when traveling? You'll | likely need a residential IP -> use your own network at | home (e.g. Tailscale or a self-setup solution) or one of | the shady "residential IP broker" utilizing commercial VPNs | out there. | | Want privacy (from visited sites' trackers)? Your VPS is | definitely not that: The IP is static, and if you send your | entire traffic through it, this is much more | fingerprintable than even residential web usage. -> Use a | commercial VPN that you can trust (I don't know many) or | something like iCloud Private Relay or TOR. | | Want privacy from your _ISP_ tracking you (including public | Wi-Fis), and _only_ that? Then, yes, a VPS-based VPN might | be for you (or any of the commercial VPNs out there). | | But my claim is that the last one (and only that) is | probably not the biggest concern of most people. | account-5 wrote: | I love this sort of thing. I'd love to get into this sort of | research. No idea where to start to either acquire the skills or | once acquired target the right systems/apps. I can still dream | though. | | Any pointers on where you'd start would be appreciated though. | jeroenhd wrote: | In this case, the whole process was just "let's see what my | device is doing" and then digging until the unexplained is | explained. Your devices are doing lots of weird things, talking | to tracking servers, fetching data from unexpected places, you | just need to take a look and start wondering! | | Running Wireshark or an equivalent smartphone app is easy. | Understanding it probably a lot less so, but network protocols | can be googled. One trick to not get overwhelmed too much is to | not use the device you're analyzing too much so you only | collect background traffic. Another is to filter out traffic | you can't do much with. A lot of traffic is encrypted by TLS | these days, but a lot of data is still visible, like in this | case a random domain that you shouldn't be seeing. However, | except for that very first TLS packet, you won't be able to see | anything interesting in the rest of the stream, which can be | gigabytes in size! | | The real challenge for network analysis is that 99% of the | time, your network is not doing anything strange (or at least | interesting). If you want to find something, you can try | seeking out sketchy apps (free VPNs are a nice target, they're | almost always shady) but there's no guarantee that you'll find | anything. Or you can dive deeper if you think there's more to | be found. | | In the case of Android apps, those are often easily decompiled | into either VM byte code (smali) or even obfuscated Java code. | apktool, jd-gui, or ghidra can usually get some kind of | readable-ish code out of an app. There's also an excellent | online APK decompiler if you trust that. Grabbing the APK is | quite easy, you can find apps that do this or otherwise you can | use Android's debugging tools to pull the app off your phone. | | Depending on how obfuscated your target is, complete reversing | may be difficult. You can often take shortcuts, though, like | looking for interesting strings or setting files. | | Another nice trick to employ when reversing applications is to | run Frida. Frida is a toolkit for injecting arbitrary code into | another process. You can either inject Frida into an APK you've | downloaded, or if you've got a rooted device run it against any | unmodified app. It works on other platforms as well! With Frida | you can write Javascript in the Chrome dev tools to control the | app, list objects and functions, call random APIs, whatever you | need, all without decompiling. | | Another trick I like to employ is using mitmproxy to man-in- | the-middle apps so you see every HTTPS call they make, the | responses, and you can even mess with the traffic (change | responses, alter requests, you name it). The tricky part is to | get the app to accept your TLS interception, but there are | Frida scripts that will disable validation of TLS certificates | in all manner of apps, giving you the ability to inspect them. | | That last part can also be very useful if you're reverse | engineering an API. I've written a blog post about a Norton VPN | where I did exactly that, not because Norton was being shady, | but because I wanted to use the OpenVPN config file on my | laptop and they didn't provide me with the necessary files | (even though they totally could have). | cloudripper wrote: | Would love to read your blog post if you're willing to share. | jeroenhd wrote: | Here you go: https://blog.jeroenhd.nl/article/getting- | norton-secure-vpn-t... | | Not the best writing, it was mostly a recap of the things I | did for myself if I ever needed to fetch that file again, | but I think the core concepts may still be useful. | gremlinsinc wrote: | I'd literally start any training by asking chatGPT, probably | using phind to ensure it's got more up to date info. I wouldn't | trust everything it says, but it can help you maybe find your | weaknesses on a topic and formulate a self education plan. | raybb wrote: | I'd recommend watching liveoverflow on YouTube. He has great | videos about reverse engineering programs and is very beginner | friendly. | dandongus wrote: | Hilarious conclusion from the author. It's almost certainly not | the case that the owners of this service are using it to 'DDoS' | targets, rather it's much more likely they are using your device | to host a proxy server and then selling access to some | 'residential proxy reseller'. | | On the other side of that, some random Joe has probably purchased | access to a set of these 'residential proxies' and is using them | to scrape flight data from the airline site the article author | noticed, with some of those requests being sent over the author's | connection. | | Many 'free vpn' and 'free proxy' apps engage in this behavior, | you may proxy your requests via their connection, but they also | proxy their requests via yours, generally reselling that access | to someone who finds your IP address to be of value to them due | to the fact that it's not a datacenter address. | | It's certainly questionable to straight up unethical either way, | especially so if the service doesn't disclose to you that they're | doing that, but on the other hand I find the author's DDoS | conclusion to be so contrived and out of touch with reality that | I had to write this comment. | badcarbine wrote: | Written by AI | homero wrote: | All free VPNs are malware | ctippett wrote: | Excellent sleuthing! I sometimes use Proxyman to sniff the | traffic that my phone or computer is using - it's fascinating | seeing what and how different apps communicate with their backend | servers. I haven't come across anything quite so nefarious, but | its interesting all the same. | esafak wrote: | Don't leave us hanging! Whodunit? | eddythompson80 wrote: | What do you mean? Swing VPN is a "free VPN" service that's | actually operating a botnet. Swing VPN dunit. | esafak wrote: | I doubt somebody started or paid a VPN to strike Turkmenistan | Airlines for shits and giggles. I suspect there is more to | the story. | sim7c00 wrote: | its not clear its ddos, though it might be, as one | commenter suggested it might be ad revenue or so. maybe | they hit themselves? :D. i bet we will never know. | eddythompson80 wrote: | No body starts a botnet to hit one target. Botnets are | usually for hire. You find a vulnerability, establish as | many C&C devices as you can, then advertise online that you | have a botnet capable of XYZ, and you get contracts to hit | particular endpoints. | | In this example, Swing VPN is offering a "free VPN" | service, but they actually pay for it with botnet | contracts. | esafak wrote: | Right. I am interested in who would pay to strike | Turmenistan Airlines. It's a target with no apparent | value. | eddythompson80 wrote: | eh, we don't really know what all "Turmenistan Airlines" | website actually does. It's a government agency after | all, and it could be used to hide all sorts of online | activity for some other government agencies. It could | also just be a test contract, or an internal botnet test | and OP just happen to catch that one. | jeroenhd wrote: | Getting a target DDoS'd is cheap, especially if that | target resides in a country with not that great digital | infrastructure. | | For twenty dollars you can take down an airline that lost | your luggage and didn't bother trying to find it back. | It's childish behavior, but someone is petty enough. | Store didn't honor their warranty? Pay five dollars and | they'll lose more money in lost sales than their refusal | would've cost them. | | Sometimes it's not just petty criminals either. Extorting | businesses with these types of attacks is all too common. | "Pay us $x or your website will be down for months" is an | easy threat to make, especially if you can take down a | business for a fraction of their lost revenue. Attack | twenty or more companies, wait for one of them to pay out | and you've made yourself a huge chunk of cash. | | There are all kinds of reasons to hire these botnets. | Developing these botnets isn't very hard either, | especially if you can sneak a trojan into a useful | software library or hack someone else's library. You just | have to think real scummy. | CharlesW wrote: | Often, the VPN maker is different than the botnet provider. | | https://scrapestack.com/faq: _Residential ( "premium") | proxies provide IP addresses that are connected to real | residential addresses and devices, which makes them much less | likely to get blocked while scraping the web. We highly | recommend using residential proxies for your web scraping | needs as they make it easy to work around geo-blocked content | and harvest data at scale._ | zidoo wrote: | free vpn == click highjacking on affiliate networks. but botnets | will work too. | gurchik wrote: | > After app startup, language selection and acceptance of privacy | policy the app starts to figure out 'real IP address' by doing a | request to both google and bing with query "what+is+my+ip". My | guess is that the app just parses the returned HTML and figures | IP from those responses. | | Aren't there free APIs to get your IP address, like ifconfig.me? | This sounds like more work but probably doesn't have any chance | of running into rate limits. | judge2020 wrote: | Every cloudflare site responds with `ip=x.x.x.x` at /cdn- | cgi/trace | | https://troyhunt.com/cdn-cgi/trace | blibble wrote: | I wonder what else they're serving up from my domains using | my name? | ignoramous wrote: | I often use _cdn-cgi /trace_ endpoints to do latency | measurements, sync time, geo-locate; real handy. | raverbashing wrote: | Wow very cool | | I wonder what's the 'sliver' property | jgrahamc wrote: | It's information that's only really useful to us. It refers | to a set of machines running the same version of our | software. Part of how we do progressive rollouts of | software. | raverbashing wrote: | Thanks for answering! | jaen wrote: | Given that their "Command & Control" server already knows the | user's IP anyway, this might be a disguise, with the actual | intention being to check if Google is working from that IP, as | these shady VPNs are often used to abuse the client as a proxy | for SERP requests, to bypass IP-based search engine query | limits (for SEO etc.). | eddythompson80 wrote: | It's a lot easier to hide your breadcrumbs if you're just | calling google.com or bing.com. Those are services that get | billions of hits an hour and no body cares to scan or correlate | your calls to them (other than Google and Microsoft of course) | starttoaster wrote: | There are APIs, and in my opinion, just falling back to a | different HTTP API would probably be easier than parsing HTML. | Though I use one of those APIs for a dynamic DNS client I | built, and I've never actually seen a rate limit on them, even | if I'm calling them every minute. I appreciate you showing them | the benefit of the doubt here, but in my opinion the more | likely answer is just that the person who did this is just | underinformed on the state of quality of life-improving public | APIs. | nerdponx wrote: | It's also borderline trivial to set up your own on a VPS with | Nginx. | OJFord wrote: | Yeah, this and countless others that nobody's ever heard of | except through a YouTube advert making questionable claims with a | questionable definition of 'VPN'. | | (To answer the inevitable: Mullvad and Proton are the legitimate | offerings that spring to mind.) | dandongus wrote: | Seems like a hilarious conclusion to me. | jsnell wrote: | Great writeup! | | > I have to give props for Swing VPN teams creativity to bypass | security measure of Apple appstore and Google PlayStore but it is | sad that Apple/Google security systems does not have some | automated ways to detect these types of actions. | | It's a tricky problem. The amount of attack traffic from an | infected device is negligible and very little of it is visible to | the operating system due to TLS. It's also presumably | intermittent (there's no point in keeping an attack ongoing | forever; you stop when the site has found a way to defend | itself), so just running the app for a while as part of | validating an update might not show any suspicious behavior. The | suspicious part is in the configurations downloaded from the CnC | servers, not packaged with the app, so static analysis won't | help. | | The only reliable option for catching these proactively thatI can | think of would be to use some kind of aggregate telemetry from | all the app installations combined, but that'd be incredibly | scary both in terms of privacy and the blast radius when | something goes wrong. | | > Currently in the beginning of June 2023 it has over 5 million | install base on android | | That's not really a reliable number. It's more like "the number | of distinct users who had this app installed at some point". | AFAIK it doesn't get decremented when somebody uninstalls the | app, and doesn't go up when somebody installs it for a second | time on a new device. Those factors might cancel out, might not. | [deleted] | mike_hock wrote: | > doing a request to both google and bing with query | "what+is+my+ip". My guess is that the app just parses the | returned HTML and figures IP from those responses. | | lol | Waterluvian wrote: | This is interesting. Does this make it harder to | filter/blacklist once discovered? Or is this just incompetence? | | If I had a known user agent doing a curl to icanhazip or | whatnot, could that eventually be blacklisted? | mike_hock wrote: | I don't get it. Where does the VPN traffic go through? If | they can operate a gateway, then surely they can provide | their own endpoints for IP discovery (and also C&C for that | matter). | | Until it's discovered, traffic to their own servers would | appear the most innocuous. After that, the app gets kicked | off the store and the server doesn't matter. | | Unless it doesn't actually do any VPN and it's all just a | farce, lol. ___________________________________________________________________ (page generated 2023-06-18 23:00 UTC)