Weird things are afoot with NordVPN's app and the traffic it generates - Reg readers have spotted it contacting strange domains in the same way compromised machines talk to botnets' command-and-control servers.

Although NordVPN has told us this is expected behaviour by the app and is intended as a counter-blocking mechanism, the company's explanation has shifted a number of times.

It began after Reg reader Dan became confused when his office network's security products started alerting on traffic from one infrequent visitor's laptop. On looking at the logs, our reader saw it was talking to these "garbage" domains:

f5d599a39d02caef1984e95fdc606f838893ffc5[dot]com 8d46980d994cc618aeed127df1b5c86d8acd86ce[dot]xyz 10bdc75ab2f0486f008dbdd8f1b0a38d7399598e[dot]xyz

Further scratching of heads led to infosec bod Ryan Niemes' personal blog, where he had written about exactly the same odd traffic. Except Niemes had noticed something else too: these domains weren't owned by anybody. So he bought them and spun up an EC2 instance to log what was coming in.

"Fast-forward a few hours," he wrote, "I ran a netstat command and saw a crapload of connections to 443. So, I registered a Letsencrypt certificate & watched my logs start to fill up."

Niemes responsibly disclosed his findings to NordVPN's security team, which thanked him and said it would update its apps to stop the oddness. The firm also offered him three years' free subscription as a thank you.

El Reg spoke to Niemes and he told us that after the update was deployed (he installed it on a test device), incoming connections were still being made from clients with "NordVPN" in their user-agent string.

Niemes saw a number of API calls within the HTTPS-encrypted traffic hitting his new domains, including:

GET /v1/users/services HTTP/1.1 GET /v1/users/current HTTP/1.1 GET /v1/servers?filters[servers.load][$gt]=85&fields[servers.id]&limit=5114 HTTP/1.1 GET /v1/servers?fields[servers.status]&limit=1&filters%5Bservers.id%5D=939653 HTTP/1.1 GET /v1/servers?fields%5Bservers.created_at%5D=&fields%5Bservers.groups.id%5D=&fields%5Bservers.groups.title%5D=&fields%5Bservers.groups.type.identifier%5D=&fields%5Bservers.hostname%5D=&fields%5Bservers.id%5D=&fields%5Bservers.load%5D=&fields%5Bservers.locations%5D=&fields%5Bservers.name%5D=&fields%5Bservers.specifications%5D=&fields%5Bservers.station%5D=&fields%5Bservers.technologies.identifier%5D=&filters%5Bservers.status%5D=online&limit=5114 HTTP/1.1 GET /v1/servers/count HTTP/1.1 GET /v1/helpers/ips/insights HTTP/1.1 GET /v1/plans?filters[plans.active]=1&filters[plans.type]=android_sideload HTTP/1.1 GET /v1/helpers/hosts/metadata HTTP/1.1

"The POST I'm seeing is concerning because there's a field called renewtoken which appears to be unique," he told The Register. As well as the user-agent string, the inbound requests also disclosed app version, host operating system build and the user's IPv4 address.

It's an anti-censorship mechanism. Honest

NordVPN spokeswoman Laura Tyrell first told us: "I would like to assure you that we have not observed any irregular behavior that could in any way support the theory of our applications being compromised by a malicious actor."

She added: "Such domains are used as an important part of our workaround in environments and countries with heavy internet restrictions. To prevent such requests from contacting the domains which aren't owned by us, we have modified our URI scheme. All URLs are being validated, so the problem as such will never occur. It is also important to note that no sensitive data is being sent or received through these addresses."

This was obviously bunkum and we said so. Tyrell then replied: "Once URL is generated, we send a call to validate it and only when URL is validated we proceed with the communication."

Among the other things Niemes had previously showed us was this sample of an incoming request from a NordVPN-using Android device:

--1c721304-A-- [23/Apr/2019:15:00:11 +0000] XL8oe@Cs4AQkZiAuc0uRFgAAAG8 [00.00.00.00 - IP address] 47522 [xxx.yyy.zzz.aaa – user IP address] --1c721304-B-- POST /v1/users/tokens/renew HTTP/1.1 User-Agent: NordApp android (playstore/3.10.1) Android 9 Content-Type: application/x-www-form-urlencoded Content-Length: 75 Host: f5d599a39d02caef1984e95fdc606f838893ffc5.xyz Connection: Keep-Alive Accept-Encoding: gzip

--1c721304-C-- renewToken=3a76c968108386e8adc64e973dc3d[random obfuscation by El Reg]34463cc8b83a4cdaf9c --1c721304-F-- HTTP/1.1 404 Not Found Content-Length: 219 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1

Yup, plenty of unique user information there – and that gzip string looks rather like the client is expecting to receive a payload from the server. Curiouser and curiouser.

"While the information did not contain user credentials, it can still be considered sensitive. In theory, the tokens can be used by a third party to gain unauthorized access to our service," conceded Tyrell. "However, none of this information could have been used to intercept the users' traffic or to tie an individual to their specific internet activity."

NordVPN has been in the news before over allegations that its userbase could be turned into a botnet, something it addressed in a blog post last year. Among other things, the company said it had been a victim of a smear campaign by rival VPN operators.

This latest weirdness is being picked up by security monitoring products and concerned sysadmins, and the company's explanations appear to be shifting every time it is presented with detailed evidence.

Reg reader Dan spotted a new domain in his logs yesterday morning, https://wutlk3t9mybdz[dot]info/ , which appears as a 404 page with a prominent link to NordVPN's website. He commented to us: "If this was legitimate, they'd effectively be exposing their authentication method. I feel like they're aware people are digging into them, so they've thrown this up to appear legitimate."

Could be innocent keep-alive heartbeat traffic

Max Heinemeyer, infosec biz Darktrace's director of threat hunting, told The Register: "We've seen it quite a lot. We don’t know what it’s for, but it looks like it tries to hide. Sensible for a VPN trying to cut around censorship!"

He added that it looks on the face of it like botnet traffic, highlighting some of the common features the mystery NordVPN traffic has with typical botnet C2 streams:

"The domains look DGA-generated… they're using suspicious TLDs, dot-xyz, something we have from other botnets. Then we see domains are using Let's Encrypt [it wasn't clear if Heinemeyer had looked at one of Niemes' domains], something which is also used by cybercriminals because it's easy. Repeated connections to the same domain looks like command-and-control traffic; it looks and smells like command-and-control traffic, but it's actually [likely to be] keep-alive traffic."

"We've seen NordVPN usage reported in at least 188 cases last year," he continued, adding that this isn’t the only instance Darktrace has seen of VPN apps sending odd traffic around: "We've also seen PIA make odd connections to random IPs. In their case it was random UDP connections on port 8888." ®