[HN Gopher] The Web Is Broken - Botnet Part 2
___________________________________________________________________
The Web Is Broken - Botnet Part 2
Author : todsacerdoti
Score : 183 points
Date : 2025-04-19 18:59 UTC (4 hours ago)
(HTM) web link (jan.wildeboer.net)
(TXT) w3m dump (jan.wildeboer.net)
| api wrote:
| This is nasty in other ways too. What happens when someone uses
| these B2P residential proxies to commit crimes that get traced
| back to you?
|
| Anything incorporating anything like this is malware.
| reconnecting wrote:
| Many years ago cybercriminals used to hack computers to use
| them as residential proxies, now they purchase them online as a
| service.
|
| In most cases they are used for conducting real financial
| crimes, but the police investigators are also aware that there
| is a very low chance that sophisticated fraud is committed
| directly from a residential IP address.
| kastden wrote:
| Are there any lists with known c&c servers for these services
| that can be added to Pihole/etc?
| Liftyee wrote:
| I don't know if I should be surprised about what's described in
| this article, given the current state of the world. Certainly I
| didn't know about it before, and I agree with the article's
| conclusion.
|
| Personally, I think the "network sharing" software bundled with
| apps should fall into the category of potentially unwanted
| applications along with adware and spyware. All of the above "tag
| along" with something the user DID want to install, and quietly
| misuse the user's resources. Proxies like this definitely have an
| impact for metered/slow connections - I'm tempted to start
| Wireshark'ing my devices now to look for suspicious activity.
|
| There should be a public repository of apps known to have these
| shady behaviours. Having done some light web scraping for
| archival/automation before, it's a pity that it'll become
| collateral damage in the anti-AI-botfarm fight.
| arewethereyeta wrote:
| I have some success in catching most of them at
| https://visitorquery.com
| lq9AJ8yrfs wrote:
| I went to your website.
|
| Is the premise that users should not be allowed to use vpns in
| order to participate in ecommerce?
| arewethereyeta wrote:
| Nobody said that, it's your choice to take whatever action
| fits your scenario. I have clients where VPNs are blocked
| yes, it depends on the industry, fraud rate, chargeback rates
| etc.
| ivas wrote:
| Checked my connection via VPN by Google/Cloudflare WARP:
| "Proxy/VPN not detected"
| arewethereyeta wrote:
| Could be, I don't claim 100% success rate. I'll have a look
| at one of those and see why I missed it. Thank you for
| letting me know.
| karmanGO wrote:
| Has anyone tried to compile a list of software that uses these
| libraries? It would be great to know what apps to avoid
| arewethereyeta wrote:
| No but here's the thing. Being in the industry for many years I
| know they are required to mention it in the TOS when using the
| SDKs. A crawler pulling app TOSs and parsing them could be a
| thing. List or not, it won't be too useful outside this tech
| community.
| mzajc wrote:
| In the case of Android, exodus has one[1], though I couldn't
| find the malware library listed in TFA. Aurora Store[2], a FOSS
| Google Play Store client, also integrates it.
|
| [1] https://reports.exodus-privacy.eu.org/en/trackers/ [2]
| https://f-droid.org/packages/com.aurora.store/
| takluyver wrote:
| That seems to be looking at tracking and data collection
| libraries, though, for things like advertising and crash
| reporting. I don't see any mention of the kind of 'network
| sharing' libraries that this article is about. Have I missed
| it?
| amiga-workbench wrote:
| What is the point of app stores holding up releases for review if
| they don't even catch obvious malware like this?
| SoftTalker wrote:
| Money
| _Algernon_ wrote:
| They pretend to do a review to justify their 30% cartel tax.
| politelemon wrote:
| Their marketing tells you it's for protection. What they fail
| to omit is it's for _their_ revenue protection - observe that
| as long as you do not threaten their revenue models, or the
| revenue models of their partners, you are allowed through. It
| has never been about the users or developers.
| charcircuit wrote:
| The definition of malware is fuzzy.
| vlan121 wrote:
| when the shit hits the fan, this seems like the product.
| ChrisMarshallNY wrote:
| _> So if you as an app developer include such a 3rd party SDK in
| your app to make some money -- you are part of the problem and I
| think you should be held responsible for delivering malware to
| your users, making them botnet members._
|
| I suspect that this goes for _many_ different SDKs. Personally, I
| am really, _really_ sick of hearing "That's a _solved_ problem!
| ", whenever I mention that I tend to "roll my own," as opposed to
| including some dependency, recommended by some jargon-addled
| dependency addict.
|
| Bad actors _love_ the dependency addiction of modern developers,
| and have learned to set some pretty clever traps.
| duskwuff wrote:
| That may be true but I think you're missing the point here.
|
| The "network sharing" behavior in these SDKs is the sole
| purpose of the SDK. It isn't being included as a surprise along
| with some other desirable behavior. What needs to stop is
| developers including these SDKs as a secondary revenue source
| in free or ad-supported apps.
| ChrisMarshallNY wrote:
| _> I think you 're missing the point here_
|
| Doubt it. This is just one -of many- carrots that are used to
| entice developers to include dodgy software into their apps.
|
| The problem is a _lot_ bigger than these libraries. It 's an
| endemic cultural issue. Much more difficult to quantify or
| fix.
| sixtyj wrote:
| Malware, botnets... it is very similar. And people including
| developers are - in 80 per cent - eagier to make money,
| because... Is greed good? No, it isn't. It is a plague.
| II2II wrote:
| You're a developer who devoted time to develop a piece of
| software. You discover that you are not generating any income
| from it: few people can even find it in the sea of similar
| apps, few of those are willing to pay for it, and those who
| are willing to pay for it are not willing to pay much. To
| make matters worse, you're going to lose a cut of what is
| paid to the middlemen who facilitate the transaction.
|
| Is that greed?
|
| I can find many reasons to be critical of that developer,
| things like creating a product for a market segment that is
| saturated, and likely doing so because it is low hanging
| fruit (both conceptually and in terms of complexity). I can
| be critical of their moral judgement for how they decided to
| generate income from their poor business judgment. But I
| don't thinks it's right to automatically label them as
| greedy. They _may_ be greedy, but they may also be trying to
| generate income from their work.
| rsedgwick wrote:
| "Bad actors love the dependency addiction of modern developers"
|
| Brings a new meaning to dependency injection.
| rapind wrote:
| I mean, as far as patterns go, dependency injection is also
| quite bad.
| rjbwork wrote:
| Elaborate on this please. It seems a great boon in having
| pushed the OO world towards more functional principles, but
| I'm willing to hear dissent.
| layer8 wrote:
| How is dependency injection more functional?
|
| My personal beef is that most of the time it acts like
| hidden global dependencies, and the configuration of
| those dependencies, along with their lifetimes, becomes
| harder to understand by not being traceable in the source
| code.
| kortilla wrote:
| Because you're passing functions to call.
| layer8 wrote:
| ??? What functions?
|
| To me it's rather anti-functional. Normally, when you
| instantiate a class, the resulting object's behavior only
| depends on the constructor arguments you pass it (= the
| behavior is purely a function of the arguments). With
| dependency injection, the object's behavior may depend on
| some hidden configuration, and not even inspecting the
| class' source code will be able to tell you the source of
| that bevavior, because there's only an _@Inject_
| annotation without any further information.
|
| Conversely, when you modify the configuration of which
| implementation gets injected for which interface type,
| you potentially modify the behavior of many places in the
| code (including, potentially, the behavior of
| dependencies your project may have), without having
| passed that code any arguments to that effect. A function
| executing that code suddenly behaves differently, without
| any indication of that difference at the call site, or
| traceable from the call site. That's the opposite of the
| functional paradigm.
| squeaky-clean wrote:
| > because there's only an @Inject annotation without any
| further information
|
| It sounds like you have a gripe with a particular DI
| framework and not the idea of Dependency Injection.
| Because
|
| > Normally, when you instantiate a class, the resulting
| object's behavior only depends on the constructor
| arguments you pass it (= the behavior is purely a
| function of the arguments)
|
| With Dependency Injection this is generally still true,
| even more so than normal because you're making the
| constructor's dependencies explicit in the arguments. If
| you have a class CriticalErrorLogger(), you can't
| directly tell where it logs to, is it using a flat file
| or stdout or a network logger? If you instead have a
| class CriticalErrorLogger(logger *io.writer), then when
| you create it you know exactly what it's using to log
| because you had to instantiate it and pass it in.
|
| Or like Kortilla said, instead of passing in a class or
| struct you can pass in a function, so using the same
| example, something like CriticalErrorLogger(fn write)
| naasking wrote:
| How is the configuration hidden? Presumably you
| configured it.
| rjbwork wrote:
| Dependency injection is just passing your dependencies in
| as constructor arguments rather than as hidden
| dependencies that the class itself creates and manages.
|
| It's equivalent to partial application.
|
| An uninstantiated class that follows the dependency
| injection pattern is equivalent to a family of functions
| with N+Mk arguments, where Mk is the number of parameters
| in method k.
|
| Upon instantiation by passing constructor arguments,
| you've created a family of functions each with a distinct
| sets of Mk parameters, and N arguments in common.
| rapind wrote:
| It starts off feeling like a superpower allowing to to
| change a system's behaviour without changing its code
| directly. It quickly devolves into a maintenance
| nightmare though every time I've encountered it.
|
| I'm talking more specifically about Aspect Oriented
| Programming though and DI containers in OOP, which seemed
| pretty clever in theory, but have a lot of issues in
| reality.
|
| I take no issues with currying in functional programming.
| mvdtnz wrote:
| Found the NPM-brained JS developer.
| ryandrake wrote:
| I'm constantly amazed at how careless developers are with
| pulling 3rd party libraries into their code. Have you audited
| this code? Do you know everything it does? Do you know what
| security vulnerabilities exist in it? On what basis do you
| trust it to do what it says it is doing and nothing else?
|
| But nobody seems to do this diligence. It's just "we are in a
| rush. we need X. dependency does X. let's use X." and that's
| it!
| ClumsyPilot wrote:
| > Have you audited this code?
|
| Wrong question. "Are you paid to audit this code?" And "if
| you fail to audit this code, who'se problem is it?"
| ryandrake wrote:
| I think developers are paid to competently deliver software
| to their employer, and part of that competence is properly
| vetting the code you are delivering. If I wrote code that
| ended up having serious bugs like crashing, I'd expect to
| have at least a minimum consequence, like root causing it
| and/or writing a postmortem to help avoid it in the future.
| Same as I'd expect if I pulled in a bad dependency.
| baumy wrote:
| Your expectations do not match the employment market as I
| have ever experienced it.
|
| Have you ever worked anywhere that said "go ahead and
| slow down on delivering product features that drive
| business value so you can audit the code of your
| dependencies, that's fine, we'll wait"?
|
| I haven't.
| squeaky-clean wrote:
| That's after the bug is introduced though, investigating
| an issue in a dependency isn't really auditing it. Do you
| audit every dependency to make sure it can't cause a
| crash before you begin using it? If you're putting in the
| level of effort they're talking about you'd never pull in
| a bad dependency because you'd find out it's bad before
| pulling it into your codebase.
| vinnymac wrote:
| This is especially true for script kiddies, which is why I am
| so thankful for https://e18e.dev/
|
| AI is making this worse than ever though, I am constantly
| having to tell devs that their work is failing to meet
| requirements, because AI is just as bad as a junior dev when it
| comes to reaching for a dependency. It's like we need training
| wheels for the prompts juniors are allowed to write.
| jonplackett wrote:
| How is this not just illegal? Surely there's something in GDPR
| that makes this not allowed.
| Retr0id wrote:
| iiuc, they do actually ask the user for permission
| fc417fc802 wrote:
| Which is ironic considering that I strongly disagree with one
| of the primary walled garden justifications, used
| particularly in the case of Apple, which amounts to "the end
| user is too stupid to decide on his own". Unfortunately, even
| if I disagree with it as a guiding principle sometimes that
| statement proves true.
| zahlman wrote:
| > I am now of the opinion that every form of web-scraping should
| be considered abusive behaviour and web servers should block all
| of them. If you think your web-scraping is acceptable behaviour,
| you can thank these shady companies and the "AI" hype for moving
| you to the bad corner.
|
| I imagine that e.g. Youtube would be happy to agree with this.
| Not that it would turn them against AI generally.
| BlueTemplar wrote:
| Yeah, also this means the death of archival efforts like the
| Internet Archive.
| jeroenhd wrote:
| Welcome scrapers (IA, maybe Google and Bing) can publish
| their IP addresses and get whitelisted. Websites that want to
| prevent being on the Internet Archive can pretty much just
| ask for their website to be excluded (even retroactively).
|
| [Cloudflare](https://developers.cloudflare.com/cache/troubles
| hooting/alwa...) tags the internet archive as operating from
| 207.241.224.0/20 and 208.70.24.0/21 so disabling the bot-
| prevention framework on connections from there should be
| enough.
| pton_xd wrote:
| I thought the closed-garden app stores were supposed to protect
| us from this sort of thing?
| whstl wrote:
| Once again this demonstrate that closed gardens only benefit
| the owners of the garden, and not the users.
|
| What good is all the app vetting and sandbox protection in iOS
| (dunno about Android) if it doesn't really protect me from
| those crappy apps...
| 20after4 wrote:
| At the very least, Apple should require conspicuous
| disclosure of this kind of behavior that isn't just hidden in
| the TOS.
| BlueTemplar wrote:
| Also my reaction when the call is for Google, Apple,
| Microsoft to fix this : DDOS being illegal, shouldn't the
| first reaction instead to be to contact law enforcement ?
|
| If you treat platforms like they are all-powerful, then
| that's what they are likely to become...
| 20after4 wrote:
| That's what they want you to think.
| kibwen wrote:
| If you find yourself in a walled garden, understand that you're
| the crop being grown and harvested.
| jt2190 wrote:
| I'm really struggling to understand how this is different than
| malware we've had forever. Can someone explain what's novel about
| this?
| desertmonad wrote:
| That its _not_ being treated like malware.
| jt2190 wrote:
| In the sense that people are voluntarily installing and
| running this malware on their computers, rather than being
| _tricked_ into running it? Is that the only difference?
| int_19h wrote:
| They are still tricked into running it, since it's normally
| not an advertised "feature" of any app that uses such SDKs.
| downrightmike wrote:
| I think it is funny that the mobile OS is trying to be as
| secure as possible, but then they allow this to run on top
| rsedgwick wrote:
| I think tech can still be beautiful in a less grandiose and
| "omniparadisical" way than people used to dream of. "A wide open
| internet, free as in speech this, free as in beer that, open
| source wonders, open gardens..." Well, there are a lot of
| incentives that fight that, and game theory wins. Maybe we
| download software dependencies from our friends, the ones we
| actually trust. Maybe we write more code ourselves--more
| homesteading families that raise their own chickens, jar their
| own pickled carrots, and code their own networking utilities.
| Maybe we operate on servers we own, or our friends own, and we
| don't get blindsided by news that the platforms are selling our
| data and scraping it for training.
|
| Maybe it's less convenient and more expensive and onerous. Do
| good things require hard work? Or did we expect everyone to
| ignore incentives forever while the trillion-dollar hyperscalers
| fought for an open and noble internet and then wrapped it in
| affordable consumer products to our delight?
|
| It reminds me of the post here a few weeks ago about how Netflix
| used to be good and "maybe I want a faster horse" - we want
| things to be built for us, easily, cheaply, conveniently, by
| companies, and we want those companies not to succumb to
| enshittification - but somehow when the companies just follow the
| game theory and turn everything into a TikToky neural-networks-
| maximizing-engagement-infinite-scroll-experience, it's their
| fault, and not ours for going with the easy path while hoping the
| corporations would not take the easy path.
| reconnecting wrote:
| Residential IP proxies have some weaknesses. One is that they
| ofter change IP addresses during a single web session. Second, if
| IP come from the same proxies provider, they are often
| concentrated within a sing ASN, making them easier to detect.
|
| We are working on an open-source fraud prevention platform [1],
| and detecting fake users coming from residential proxies is one
| of its use cases.
|
| [1] https://www.github.com/tirrenotechnologies/tirreno
| gbcfghhjj wrote:
| At least here in the US most residential ISPs have long leases
| and change infrequently, weeks or months.
|
| Trying to understand your product, where is it intended to sit
| in a network? Is it a standalone tool that you use to identify
| these IPs and feed into something else for blockage or is it
| intended to be integrated into your existing site or is it
| supposed to proxy all your web traffic? The reason I ask is it
| has fairly heavyweight install requirements and Apache and PHP
| are kind of old school at this point, especially for new
| projects and companies. It's not what they would commonly be
| using for their site.
| reconnecting wrote:
| Indeed, if it's a real user from a residential IP address, in
| most cases it will be the same network. However, if it's a
| proxy from residential IPs, there could be 10 requests from
| one network, the 11th request from a second network, and the
| 12th request back from the same network. This is a red flag.
|
| Thank you for your question. tirreno is a standalone app that
| needs to receive API events from your main web application.
| It can work perfectly with 512GB Postgres RAM or even lower,
| however, in most cases we're talking about millions of events
| that request resources.
|
| It's much easier to write a stable application without
| dependencies based on mature technologies. tirreno is fairly
| 'boring software'.
| sroussey wrote:
| My phone will be on the home network until I walk out of
| the house and then it will change networks. This should not
| be a red flag.
| at0mic22 wrote:
| Strange the HolaVPN e.g. Brightdata is not mentioned. They've
| been using user hosts for those purposes for decades, and also
| selling proxies en masse. Fun fact they don't have any servers
| for the VPN. All the VPN traffic is routed through ... other
| users!
| arewethereyeta wrote:
| They are even the first to do it and the most litigious of all.
| Trying to push patents on everything possible, even on water if
| they can.
| Klonoar wrote:
| Is it really strange if the logo is right there in the article?
| armchairhacker wrote:
| > I am now of the opinion that every form of web-scraping should
| be considered abusive behaviour and web servers should block all
| of them. If you think your web-scraping is acceptable behaviour,
| you can thank these shady companies and the "AI" hype for moving
| you to the bad corner.
|
| Why jump to that conclusion?
|
| If a scraper clearly advertises itself, follows robots.txt, and
| has reasonable backoff, it's not abusive. You can easily block
| such a scraper, but then you're encouraging stealth scrapers
| because they're still getting your data.
|
| I'd block the scrapers that try to hide and waste compute, but
| deliberately allow those that don't. And maybe provide a sitemap
| and API (which besides being easier to scrape, can be faster to
| handle).
| panstromek wrote:
| I'd expect this to be against app store and google play rules,
| they are very picky.
| Pesthuf wrote:
| We need a list of apps that include these libraries and any
| malware scanner - including Windows Defender, Play Protect and
| whatever Apple calls theirs - need to put infected applications
| into quarantine immediately. Just because it's not _directly_
| causing damage to the device running the malware is running on,
| that doesn 't mean it's not malware.
| philippta wrote:
| Apps should be required to ask for permission to access
| specific domains. Similar to the tracking protection, Apple
| introduced a while ago.
|
| Not sure how this could work for browsers, but the other 99% of
| apps I have on my phone should work fine with just a single
| permitted domain.
| proxy_err wrote:
| Its a fair point but very dynamic to sort out. This needs a full
| research team to figure out. Or you know.. all of us combined!!
| It is definitely a problem.
|
| TINFOIL: Sometimes I always wondered if Azure or AWS used bots to
| push site traffic hits to generate money... they know you are
| hosted with them.. They have your info.. Send out bots to drive
| micro accumulation. Slow boil..
| luckylion wrote:
| I think that's mostly that they don't care about having
| malicious bots on their networks as long as they pay.
|
| GCE is rare in my experience. Most bots I see are on AWS. The
| DDOS-adjacent hyper aggressive bots that try random URLs and
| scan for exploits tend to be on Azure or use VPNs.
|
| AWS is bad when you report malicious traffic. Azure has been
| completely unresponsive and didn't react, even for C&C servers.
| aucisson_masque wrote:
| It's interesting but so far there is no definitive proof it's
| happening.
|
| People are jumping to conclusions a bit fast over here, yes
| technically it's possible but this kind of behavior would be
| relatively easy to spot because the app would have to make direct
| connections to the website it wants to scrap.
|
| Your calculator app for instance connecting to CNN.com ...
|
| iOS have app privacy report where one can check what connections
| are made by app, how often, last one, etc.
|
| Android by Google doesn't have such a useful feature of course,
| but you can run third party firewall like pcapdroid, which I
| recommend highly.
|
| Macos (little snitch).
|
| Windows (fort firewall).
|
| Not everyone run these app obviously, only the most nerdy like
| myself but we're also the kind of people who would report on app
| using our device to make, what is in fact, a zombie or bot
| network.
|
| I'm not saying it's necessarily false but imo it remains a theory
| until proven otherwise.
| CharlesW wrote:
| Botnets as a Service are absolutely happening, but as you
| allude to, the scope of the abuse is very different on iOS
| than, say, Windows.
| abaymado wrote:
| > iOS have app privacy report where one can check what
| connections are made by app, how often, last one, etc.
|
| How often is the average calculator app user checking there
| Privacy Report? My guess, not many!
| badmonster wrote:
| do you think there's a realistic path forward for better
| transparency or detection--maybe at the OS level or through
| network-level anomaly detection?
| yungporko wrote:
| it's funny, i've never heard of or thought about the possibility
| of this happening but actually in hindsight it seems almost too
| obvious to not be a thing.
| jeroenhd wrote:
| > So there is a (IMHO) shady market out there that gives app
| developers on iOS, Android, MacOS and Windows money for including
| a library into their apps that sells users network bandwidth
|
| AKA "why do Cloudflare and Google make me fill out these CAPTCHAs
| all day"
|
| I don't know why Play Protect/MS Defender/whatever Apple has for
| antivirus don't classify apps that embed such malware as such.
| It's ridiculous that this is allowed to go on when detection is
| so easy. I don't know a more obvious example of a trojan than an
| SDK library making a user's device part of a botnet.
| panny wrote:
| >Apple, Microsoft and Google should act.
|
| Do nothing, win.
|
| They are the primary benefactors buying this data since they are
| the largest AI players.
___________________________________________________________________
(page generated 2025-04-19 23:00 UTC)