Researchers at Palo Alto Networks Unit 42 investigated the tunneling software X-VPN, which uses various circumvention techniques to bypass security and policy enforcement mechanisms. X-vpns are virtual private networks (VPNS) that can be used to bypass Internet censorship and traffic policy enforcement points, posing significant risks to network operators and VPN users.
X-vpn is one of the most circumventive VPN clients out there, mimicking a variety of popular protocols and services to bypass security policies. As a result, the protection system cannot examine packets, which may cause malicious traffic to enter the network or sensitive information to leave the network.
Avoid VPN connection risks
Using VPN clients such as X-VPN puts users of such software and network operators at risk. Users must consider the following risks when deciding to use VPN clients:
Can VPN providers be trusted? – If a VPN is used, all data from the client is sent to a third party that can perform various analysis and record data.
Host country Jurisdiction – Depending on where the VPN provider is located, the host country may require the VPN provider to share certain user data with the government. During our x-VPN analysis, we found that many exit nodes are located in different countries, and these exit nodes are usually automatically selected by VPN clients.
Limiting traffic – Because a VPN provider has complete control over the data coming from its users, it can limit or even block connections to various services, or favor certain content providers over others.
Risk of malware and spyware – VPN clients frequently access third party sources and may infect hosts with malware or spyware programs. Especially if the VPN uses custom encryption, the security monitor will not be able to identify the malicious payload of incoming traffic.
Use clients as exit nodes — A VPN client may allow its users to connect through another end user’s installed client. In this case, the end user being used as an exit node may be responsible for any illegal activity by other VPN users.
Given the risks associated with VPNS, it is critical that network operators be able to monitor and control the use of VPNS in their networks. The following sections discuss the circumvention techniques we discovered during our in-depth analysis of X-VPN.
X-vpn circumvention technology
The x-VPN circumvention technology is based on custom encryption using TCP and UDP payloads and mimicking other application layer protocols, such as HTTP, SSL, FTP, NTP, and SMTP. According to our research, X-VPN uses approximately 10,000 server instances hosted by public cloud providers and replaces 300-500 server instances per day with new public IP addresses.
To hide the actual payload of the packet, X-VPN mimics connections to popular services (such as www.google.com or www.bing.com) :
As figure 1 shows, X-VPN mimics HTTP traffic, which appears to be Bing web browsing traffic. The highlighted fields are custom encrypted and can be used to command and control traffic or to transfer data between client software and one of x-VPN’s server instances.
By contrast, Figure 2 shows the HTTP header for real Web browsing traffic to www.bing.com
The same techniques can be observed with SSL traffic, where X-VPN mimics the SSL handshake, e.g. to google.com, as we show in Figure 3.
In addition to using popular services as domain names, we also observed x-VPNs using generated domains, such as 8v9m.com.
In addition to using fraudulent HTTP and SSL packets to transfer data through policy enforcement systems, X-VPN applies the same principles to FTP, SMTP, and NTP traffic and hides custom encoded data in fields embedded in packets that appear as benign protocols.
In Figure 4, an example is shown where AN X-VPN transmits data using a structure that looks like a simple Mail Transfer Protocol (SMTP) packet to communicate with ICloud.com. The FROM and TO email addresses in SMTP packet flows are displayed as user-defined encrypted values. Suppose the X-VPN uses this traffic for command and control communication.
A similar method is used by X-VPN to utilize FTP (File Transfer Protocol) traffic where the username and password are custom encrypted to communicate information between client and server in an evasive way as we show in Figure 5.
Conclusions and mitigation
Palo Alto Networks can help customers and businesses by incorporating different best practice recommendations to block X-VPNs and other proxies. For detailed instructions on how to configure a Palo Alto Network Firewall to block X-VPN, see here: Configure a Palo Alto Network Firewall to Block X-VPN