Koobface/Port 9090

For months, the Proxy List has been inadvertently tracking the spread of the Koobface virus.

Koobface is spread via the social engineering of Facebook users, prompting them to view a video of themselves that requires (surprise) the installation of an "updated" (translation: BOGUS) Flash player that subsequently zombifies the user's computer, installing a proxy server (tinyproxy.exe) running on TCP port 9090.

Koobface was allegedly discovered in August 2008. The Proxy List has been reporting proxies on port 9090 since March 2008 (to be exact, three days after the beginning of the Proxy Project).

Granted, a proxy on port 9090 does not imply that tinyproxy.exe is running on that port, but given anti-virus companies are so far behind the curve on protecting consumers from malware, a five-month "0day" status is not unheard of.

According to my proxy database, port 9090 started in March, ticked up in April, took the months of May and June off, and started rising from July through October. In November, it exploded. So much that port 9090 is now the fifth most common port for verified proxies (meaning, they worked at least once) in the database, only a few hundred away from knocking port 3128 (SQUID, CoDeeN) off the #4 spot.

Not surprisingly, the top three infected countries (US, GB, CA) are all English-speaking. The DNS names, with a handfull of exceptions, all reflect consumer ISPs.

There is some serious Facebook ownage going on, and this probably explains the surge in Cameroon users I reported last week.

Is it advisory-worthy? No. The press has been doing a fair job of getting the word out. The security discussion lists (BugTraq, FullDisclosure, et al) have been, as usual, silent/worthless on the entire subject. That's what really pisses me off. I spend a great deal of time sifting through the lists for security information and 90% of that turns out to be wasted effort. In fact, 100% of the information on Koobface came from my own Google Alerts and independent research.

Why do I bother?