Sunday, August 28, 2011

4.1 million proxies!

Almost a month after the 4,000,000 mark, that's about right. 100K proxies per month is a little high, just a little above average.

Here's the thing: that 0.1 million is 100% TCP port 8909 proxies.

Between midnight August 1st and this very moment (6AM on the 28th) I've snarfed up 105,272 of these suckers. That's over 2.5% of the entire database.

It looks like I was right about the demise of port 9415. Those boxes are gone. Here are the daily numbers from April 1st to now.

I am still looking for the port 8909 culprit. I downloaded QQPlayer_Setup_32_845.exe from "somewhere in China" and installed it on a VM to see if it opened up port 8909, but it didn't. It was a good suspect because it came out in June. Here it is...

Since it's in Chinese, running it is something of an issue for me. Even though this thing didn't open up port 8909, it does have some kind of built-in proxy capabilities. Take this DLL for example:

It's even signed by Verisign! Anyway, taking a quick peek reveals some interesting details (click for a larger view):

The presence of CStunClient and CStunSvr struck a note. "STUN" means "Session Traversal Utilities for NAT" and you can read all about it here. The problem is, STUN is typically a UDP thing whereas proxies (besides SIP proxies) use TCP. Still... it looks like a smoking gun.

Otherwise, the Youku/Tudou/QQ hegemony has been making a lot of news lately. Take this article for example. You may recall Tudou was responsible for port 9415.

This month I have learned that these proxies have more staying power than their port 9415 predecessors, which tended to disappear forever after they were gone. They do disappear, but they can come back after a few days. This means all those "dead" proxies that never made it into the gold table (over 88,000 timed out or the port was closed when they were first scraped) may still be usable.

Back in the USA, the SOCKS proxies march on, with the notable exception of port 27977. What is going on there?

Apparently this was the TDSS rootkit. This is one of the few sources I have found that specifically link TDSS with port 27977. TDSS was a tool leveraged by the Rustock botnet, which was taken down in March.

So you can put a fork in that one.

No comments:

Post a Comment