The Hinky Dink Top 10 Koobface Infested Shitholes Report

FOR IMMEDIATE RELEASE

The Hinky Dink Top 10 Koobface Infested Shitholes Report

Columbus, Ohio – March 22, 2010 – Mr. Hinky Dink, a Big Time Security Professional™ today released an analysis of the spread of the Koobface worm. Based on an exhaustive study of his database of over two and a half million open Web proxies collected over two years, Hinky's findings demonstrate where the most vulnerable social networking users can be found.

“With more losers piling into social networking sites this trend is very likely to continue,” said Hinky. “This study highlights the cities with the most gullible users on the Internet. This study will no doubt help cybercriminals, script kidz, and Cameroonian puppy scammers target their next online marketing campaigns.”

View the complete report here.

Koobface May Be Mutating

Followers of my Proxy Project may have noticed a tremendous increase in the past few weeks of the number of active Koobface proxies in the wild.

They have become so widespread in the USA that I had to include a warning about them on my proxy list.

Koobface proxies are widely known to use TCP port 8085. However since the beginning of March I have seen a new trend of proxies listening on port 2479.

And by "trend" I mean an average of over 900 new proxies per week since March 3rd in the USA alone (the USA is Koobface's #1 "market").

This may be a new strategy by the KK (Koobface Korp) or it may be an entirely new botnet being set up.

We live in interesting times, boys and girls!

Koobface/Port 9090

For months, the Proxy List has been inadvertently tracking the spread of the Koobface virus.

Koobface is spread via the social engineering of Facebook users, prompting them to view a video of themselves that requires (surprise) the installation of an "updated" (translation: BOGUS) Flash player that subsequently zombifies the user's computer, installing a proxy server (tinyproxy.exe) running on TCP port 9090.

Koobface was allegedly discovered in August 2008. The Proxy List has been reporting proxies on port 9090 since March 2008 (to be exact, three days after the beginning of the Proxy Project).

Granted, a proxy on port 9090 does not imply that tinyproxy.exe is running on that port, but given anti-virus companies are so far behind the curve on protecting consumers from malware, a five-month "0day" status is not unheard of.

According to my proxy database, port 9090 started in March, ticked up in April, took the months of May and June off, and started rising from July through October. In November, it exploded. So much that port 9090 is now the fifth most common port for verified proxies (meaning, they worked at least once) in the database, only a few hundred away from knocking port 3128 (SQUID, CoDeeN) off the #4 spot.

Not surprisingly, the top three infected countries (US, GB, CA) are all English-speaking. The DNS names, with a handfull of exceptions, all reflect consumer ISPs.

There is some serious Facebook ownage going on, and this probably explains the surge in Cameroon users I reported last week.

Is it advisory-worthy? No. The press has been doing a fair job of getting the word out. The security discussion lists (BugTraq, FullDisclosure, et al) have been, as usual, silent/worthless on the entire subject. That's what really pisses me off. I spend a great deal of time sifting through the lists for security information and 90% of that turns out to be wasted effort. In fact, 100% of the information on Koobface came from my own Google Alerts and independent research.

Why do I bother?