Botconf Author Listing

Proxy services have become a primary tool for many threat actors to obfuscate their tracks, due to their low prices and access to clean residential IPs in many locations. Although the “ngioweb” botnet has been around for seven years, it took until 2024 to uncover how it was powering one of the most notorious criminal proxy services in the world, known as “NSOCKS,” boasting a daily average of 35000 proxies in 180 countries. Join us as we discuss how we spent over a year researching this botnet and understanding how we could and did intervene to slow it down.

In this talk we will explore why malicious proxy services like NSOCKS are becoming more popular and show how dangerous they can truly be. First, we will show why many threat actors prefer using this proxy service, while describing how it was being abused by separate entities to launch DDoS attacks, create new proxy services, and obfuscate malware traffic. With this background in mind, we will explain the ngioweb botnet architecture which consists of three different command and control (C2) layers encompassing over 220 active C2s at its peak. We also show how the malware has been developed and changed over the years to become extremely resistant to takedown efforts.

We will bring this all together to then discuss how we worked with many different organizations to coordinate a severe disruption to this service and botnet, and what we learned along the way. We will focus on understanding how public and private sector entities can work together to disrupt botnets and malicious activity – not only in this case, but for many more like it even when a full-scale takedown is not an option.