The rise of the machines began: researchers found strange behavior of NordVPN

Security researchers and users are seriously concerned with NordVPN strange behavior that applications’ developers cannot comprehensively explain.

As it turned out, NordVPN connects to strange domains, similarly to the way compromised systems connect to botnets’ C&C–servers.

First users that reported that something is wrong was “The Register” digital periodical reader named Dan. Installed in his office network safety solutions suddenly started to send signals about suspicious traffic from one of visitors’ laptops. As showed log analysis, device connected to some of the “trash” domains.

Cybersecurity researcher Ryan Niemes also noted strange traffic.

However, Niemes found one thing – suspicious domains had no owner. Researcher bought them and started EC2, aiming investigating, what in reality is going on. With running the netstat team, he saw connection to port 443.

“I registered Letsencrypt certificate and started watching for arrival of log entries” – reported Niemes

In private letter researcher notified NordVPN developers about his discovery and received three years of free subscription as a gratitude. Developers promised to fix the issue, but after release of updates, suspicious connections did not discontinue. Niemes installed updated version of NordVPN for testing and detected incoming connection that are established by clients with “NordVPN” in user-agent lines.

Researcher found inside HTTPS-traffic API-requests to other domains.

“POST-requests that I detected are rising concerns, as renewtoken field is unique” – said Niemec.

According to his words, user-agent line and requests disclosed application version, host’s OS compilation and user’s IPv4 address.

As argue in NordVPN, connection to strange domains is a part of blocks bypassing strategy.

Source: www.technadu.com