Saturday, December 06, 2008

Koobface/Port 9090

For months, the Proxy List has been inadvertently tracking the spread of the Koobface virus.

Koobface is spread via the social engineering of Facebook users, prompting them to view a video of themselves that requires (surprise) the installation of an "updated" (translation: BOGUS) Flash player that subsequently zombifies the user's computer, installing a proxy server (tinyproxy.exe) running on TCP port 9090.

Koobface was allegedly discovered in August 2008. The Proxy List has been reporting proxies on port 9090 since March 2008 (to be exact, three days after the beginning of the Proxy Project).

Granted, a proxy on port 9090 does not imply that tinyproxy.exe is running on that port, but given anti-virus companies are so far behind the curve on protecting consumers from malware, a five-month "0day" status is not unheard of.

According to my proxy database, port 9090 started in March, ticked up in April, took the months of May and June off, and started rising from July through October. In November, it exploded. So much that port 9090 is now the fifth most common port for verified proxies (meaning, they worked at least once) in the database, only a few hundred away from knocking port 3128 (SQUID, CoDeeN) off the #4 spot.

Not surprisingly, the top three infected countries (US, GB, CA) are all English-speaking. The DNS names, with a handfull of exceptions, all reflect consumer ISPs.

There is some serious Facebook ownage going on, and this probably explains the surge in Cameroon users I reported last week.

Is it advisory-worthy? No. The press has been doing a fair job of getting the word out. The security discussion lists (BugTraq, FullDisclosure, et al) have been, as usual, silent/worthless on the entire subject. That's what really pisses me off. I spend a great deal of time sifting through the lists for security information and 90% of that turns out to be wasted effort. In fact, 100% of the information on Koobface came from my own Google Alerts and independent research.

Why do I bother?


  1. Anonymous9:08 PM

    hinky you seem to be off duty therevare no transparent ip again and your site seems getting of maintainance

  2. I have been hard at work making the Proxy List as maintenance-free as possible, but I do admit to having broken some things.

    Lately it has been fine.

    You need to check out, which is the new site for news about the proxy list project.

  3. Anonymous12:56 PM

    please Hinky, can you supply some more uk proxies, we need dem badly

  4. I don't go around scanning countires for proxies.

    What I do is scan all the proxy lists I can get my hands on and then find the working proxies in those lists.

    If those lists don't have UK proxies in them, neither does my list.

  5. Anonymous2:50 PM


  6. Anonymous11:14 AM

    Hinky,Please we need more port 8080 for united states proxies.Please

  7. Have you tried

  8. Anonymous7:49 AM

    hi mr hinky,
    this is the spirit master of scamming.i used ultra surf to browse using mtn permit me to browse without paying but is not that powerful.
    please help me with the most powerful proxy server that can help bypass the mtn email is (
    keep being bless for helpping us.........

  9. Anonymous3:26 PM

    u all can
    the best proxies sites on net are published,...

  10. Hello Mr Hinky that a Devo reference?

  11. Anonymous1:07 AM

    Hello Mr Hinky Dink,
    I love what you are doing but can i have a very good us ip i wants to sell my puppies so pls you can email me at (