This article is more than 1 year old

Bunitu botnet crooks sell your unencrypted VPN traffic for £££

Unknowing proxies help zombie army lurch forward

Cyber-crooks behind the Bunitu botnet are selling access to infected proxy bots as a way to cash in from their network.

Users (some of whom may themselves be shady types, as explained below) who use certain VPN service providers to protect their privacy are blissfully unaware that back-end systems channel traffic through a criminal infrastructure of infected computers worldwide.

Not only that, but all traffic is also unencrypted – defeating the main point of using a VPN service.

The lack of encryption gives consumers a false sense of security while simultaneously leaving their traffic open to interception, or worse yet, man-in-the-middle and traffic redirection attacks.

The cheap and nasty VPN scam was uncovered by security research from anti-virus firm Malwarebytes and ad-fraud-fighting outfit Sentrant. The two firms originally began investigating the botnet in the belief that ad-click fraud was its main source of illicit income, before realising that dodgy VPN services seemed to be the main fraud in play.

In particular, a VPN service called VIP72 was heavily involved with the Bunitu botnet and its proxies. VIP72 appears to be a top choice for cyber-criminals, as referenced on many underground forums, and a particular favorite with Nigerian 419 scammers, among others.

A Bunitu Trojan was distributed via the Neutrino exploit kit as part of various malvertising campaigns, Malwarebytes reported last month. Malwarebytes estimates that there are 100K Bunitu-infected machines, a figure that marks it out as a mid-range zombie network – the largest run into the low seven figures.

Malwarebytes researcher Jérôme Segura told El Reg how the botnet-based VPN worked, explaining that its architecture is different from that offered by legitimate services.

"Rather than being servers worldwide, the VPN exit nodes are personal computers that have been configured as proxies. In that sense, the architecture of the VPN is different from a typical one, but not to their customers who would be none the wiser."

The result is that compromised computers that form zombie drones in the Bunitu botnet are getting harnessed as free exit nodes for dubious VPN services.

"Bunitu shows us how versatile malware can be, especially when compromised systems are tied together towards the same goal," Malwarebytes concludes in a blog post on its ongoing investigation. "While we have analysed its main components, there is still much more that is unknown about this threat, and in particular, the extent of its reach or the list of VPN providers using it."

Malwarebytes and Sentrant are inviting other security researchers and law enforcement to get in touch to share intelligence on the Bunitu botnet. ®


Concerns were raised two months ago after it emerged that the Hola VPN, which claims to have more than 9.7 million users, was re-selling access to users' machines as exit nodes under the Luminati brand. Users of Hola route their traffic through each others' devices. In response to queries from The Register, Malwarebytes confirmed that there is no relationship between Hola and VPNs built on the back of the Bunitu botnet.

More about


Send us news

Other stories you might like