Hinky’s Proxy Obsession

Recently, a sharp-eyed reader noted that proxies on TCP port 9415 suck ass, and suggested they might be Koobface proxies.  So this morning I did a little reality check and found:

• They do suck ass
• They share some aspects of last year’s Koobface spread

I did a special resurrection on every dead port 9415 proxy in the Gold Database (proxies verified at one time or another) and did some manual spot-checking.  In all, out of 5766 dead proxies I found fifteen live ones.  Most were located in China, Hong Kong, or Taiwan.  One was in Alberta, Canada.

The first one I found, in China, gave me two pages before it started resetting connections.

The Canadian proxy – apparently a Shaw Cable residential account – was fine.  It was perky and never refused a request.

However, I just now re-checked it and it’s timing out.

Several of the others simply returned the text string “error” to the browser.

Some took forever and never returned anything.

This report from Japan offers some interesting insights:

As for 9415/tcp, access from multiple sources in overseas (mainly China) observed at multiple monitoring points … has been on the rise since March.

When I look at the Big Database (all proxies scraped but not verified) I see approximately the same results just eyeballing the data, but I see the activity starting way back in August 2009.

It really takes off by the middle of May 2010.  A quick query shows that 60% of all 9415 proxies were discovered after May 15th.

In all there are over 170,000 port 9415 proxies in the database, which would make a decent botnet.

Coincidentally, Koobface “bloomed” in May of 2009.

I’ve always said this was a seasonal business.

Columbus, Ohio – March 22, 2010 – Mr. Hinky Dink, a Big Time Security Professional™ today released an analysis of the spread of the Koobface worm. Based on an exhaustive study of his database of over two and a half million open Web proxies collected over two years, Hinky’s findings demonstrate where the most vulnerable social networking users can be found.

“With more losers piling into social networking sites this trend is very likely to continue,” said Hinky. “This study highlights the cities with the most gullible users on the Internet. This study will no doubt help cybercriminals, script kidz, and Cameroonian puppy scammers target their next online marketing campaigns.”

View the complete report here.

Today I updated Page One of The List to include a warning about Koobface proxies and a link to my Twitter feed (absolutely nobody follows me, probably because I’m one boring son of a bitch).

I also changed Hinky’s Top Ten so that it never selects Koobface proxies.  The MySQL query that makes the Top Ten List was simply rewritten to exclude any proxy on TCP port 8085, but since it ignores US proxies by default, there was only a small chance it picked them in the first place.

However, Koobface may be changing its strategy since there have been a significant number (over 2700, to be precise) of proxies showing up on TCP port 2479 in the US in March 2010 alone.  That works out to 900 per week, since March is only three weeks old at this point.

If these are Kooberz, I think it’s a Smart Move™ by the Koobface Korp.  Port 8085 has been a dead give-away of Koobface infection for almost a year now.  I have been wondering why they were so stuck on it.

If this turns out to be the case, or if some other botnet is leveraging port 2479 proxies, I am hereby calling dibs on this Important Security Announcement!

You heard it here first!

Today’s 3PM run, published at 4PM, almost doubled the size of The List, which had been purged a few hours earlier.

There are at least two pages worth of U.S. Koobface (port 8085) proxies.  There is some serious pwnage going on.

Somebody should tell Dancho.  Maybe he’ll write another puff piece about “The Koobface Gang” for his corporate masters at ZDNet.  Then people will get mad and… nothing will happen.

No, Danny, I’m not part of “The Gang”.  I’m just sitting on the sidelines, watching the proxies go by and chuckling at the sorry state of the security industry.

EPIC FAIL/

Actually, 2,499,909 at this very moment but we should hit the magic milestone by midnight.

Business has been picking up.  After the last proxy purge I didn’t even have to run a resurrection to get a decent number of pages up.

Koobface has been making a comeback, if the number of U.S.A. proxies running on port 8085 is any indication (and it usually is).

Even the Cameroonians should be happy, given the number of UK proxies that have been popping up in the last few weeks.  Push those puppies, boys!

This surge in new proxies reaffirms my opinion that this is a seasonal business.  The exact same thing happened last year and we should continue to see more and more fresh proxies until November, when the whole thing will come crashing down once again.

We should hit the three million mark by August.