News

The rise of the machines began: researchers found strange behavior of NordVPN

Security researchers and users are seriously concerned with NordVPN strange behavior that applications’ developers cannot comprehensively explain.

As it turned out, NordVPN connects to strange domains, similarly to the way compromised systems connect to botnets’ C&C–servers.

First users that reported that something is wrong was “The Register” digital periodical reader named Dan. Installed in his office network safety solutions suddenly started to send signals about suspicious traffic from one of visitors’ laptops. As showed log analysis, device connected to some of the “trash” domains.

Cybersecurity researcher Ryan Niemes also noted strange traffic.

However, Niemes found one thing – suspicious domains had no owner. Researcher bought them and started EC2, aiming investigating, what in reality is going on. With running the netstat team, he saw connection to port 443.

“I registered Letsencrypt certificate and started watching for arrival of log entries” – reported Niemes

Ryan Niemes
In private letter researcher notified NordVPN developers about his discovery and received three years of free subscription as a gratitude. Developers promised to fix the issue, but after release of updates, suspicious connections did not discontinue. Niemes installed updated version of NordVPN for testing and detected incoming connection that are established by clients with “NordVPN” in user-agent lines.

Researcher found inside HTTPS-traffic API-requests to other domains.

“POST-requests that I detected are rising concerns, as renewtoken field is unique” – said Niemec.

According to his words, user-agent line and requests disclosed application version, host’s OS compilation and user’s IPv4 address.

As argue in NordVPN, connection to strange domains is a part of blocks bypassing strategy.

Source: www.technadu.com

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

1 day ago

Remove Themoneyminutes pop-up ads (Virus Removal Guide)

Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…

1 day ago

Remove News-xcidizi pop-up ads (Virus Removal Guide)

News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Everytraffic-flow pop-up ads (Virus Removal Guide)

Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…

1 day ago