Wednesday, September 07, 2011

There's a lot of buzz lately about the guy who runs/ran as being the "kingpin" behind the TDSS botnet, which was the bug responsible for all those port 27977 SOCKS proxies.

Not surprisingly, I used to scrape that site all the time, from the Fall of 2008 until early Winter 2010. According to the Krebs article, awmproxy started offering up proxies on March 16, 2008 which is—coincidentally—the day after I started the proxy project.

That site, as it existed back then at least, seemed like a typical proxy-for-pay scam, selling you a list of proxies you could get for nothing on your own. In fact, they had a slightly insecure way of passing out proxies to their paying customers. I stumbled across their "secret URL" with a random Google search and scraped thousands of good proxies every day throughout that whole time period.

Maybe they changed hands since then, but if you look at their offerings, they have never advertised port 27977 proxies. Compare this Google search to this one. Do the same search on the .net site and you'll find there are none there, either. But you will find the standard ports listed.

Sure, they're conspicuous by their absence, but every proxy lister and his brother had port 27977 proxies in their lists over the past year, so the advertising value alone would be worth listing them. Here are my numbers:

As you can see, they're gone now.

So why finger the only site that wasn't advertising these proxies?

Some consider Firefox plug-in to be a smoking gun, but it seems like a logical offering for a proxy provider. In fact, it's still available. I don't see how this plug-in would be valuable to a "bot" and would love to see someone evaluate the code and prove that it's inherently malicious.

Of course, there's no way in Hell I'd install it.

I don't want to appear to be an apologist or a defender of cybercriminals, but I'll be on the sidelines watching this drama pan out.

No comments:

Post a Comment