BlazeDTV v3.5 Serial Number

Let me just say up front I am not in the business of pirating software.

These days.  The 90s was a different story.  But I digress.

A few years back, I bought an Auvitek ATSC USB dongle for an XP system.  It was cheap and it worked great.  It was bundled with "BlazeDTV v3.5" for tuning, recording, playback, etc.  Then I upgraded to Windows 7 64-bit and it stopped working.  Even after finding the 64-bit drivers for it (after a long hard search) it still wouldn't work.  So it sat in a drawer until one day when I "inherited" another XP system.  I ran the installation disk, plugged in the dongle, and it asked me for the serial number, which I promptly plugged in.

And the little rat bastard told me I had installed it on too many systems.  It refused to run.

Problem was, it was phoning home to check on the serial number.  I null routed the mothership, ran setup again, and everything was fine.  Can't call home, can't check the serial, can't brick the software.  No problem.  I made it a permanent entry in my local DNS recursor (PowerDNS).

This worked great for months.  It works with Windows 7 32-bit just fine.  Then today I was playing around with proxies (as usual) on IE9 (which I don't normally use).  Forgot about it and went to watch some TV.

And it wanted the serial number.  When I plugged it in it said "FUCK YOU" and refused to run.  At that point I remembered I had set IE up with some proxy in God-Know-Where (probably some MikroTik router in Venezuela--those are pretty fast) and it found the mothership.

So here's my (BAD) serial number if you need it...

MU3MJNBK9LRH4-6H8ECXDT5MVA

It's no good.  It's used up.  Huffed.  So I don't feel bad about giving it out.

You need to add this line to your local hosts file:

127.0.0.1 www.blazevideo.com blazevideo.com

And that will kill the mothership, which you will never be able to hit with anything ever again.

Unless you use a Venezuelan proxy (or equivalent).

TCP Port 36081

Happy Annual Gift Day!

I woke up bleary-eyed this morning at around 3AM, disappointing the cats who thought it was breakfast time, and sat down at the computer and pulled up the proxy list. I was greeted with a smattering of new proxies on port 36081.

This struck me as unusual so I did a quick check of the database to see how long it's been going on.

And it's only been going on for the last five days (see also SANS data on 36081), but let me qualify that. I have been finding live, High Anon, CERN-ish proxies on this port for the last five days. Not SOCKS!

I had a smattering of hits in 2008 and 2010 on port 36081, nothing at all in 2009, and seven between January 1st and December 1st of this year (2011).

328 of them—96%—in the last five days. 100% are located on residential IPs in the US, making them useless for me, since I don't do US proxies, and they're spread out in 44 states pretty much by population with the top three states being Texas, California, and Ohio.

What's special about 36081, the number? Nothing. It falls in an "UNASSIGNED" IANA port range, which in itself is meaningful and probably not random. It's not prime. It's the Zip code of Troy (as in "Trojan"), Alabama. It's the part number of a popular surge protector.

Oh, GOODIE!

Something new and wonderful is happening!

Proxy Browser Round-Up October 2011

The other day it dawned on me I had not run Internet Explorer for a very long time. IE9 may be better than sliced shit for all I know. I have it, never use it. It's different back at the Salt Mines. Some "intranet applications" simply barf on anything else, or flat out refuse to run.

Last year, on the ill-fated Proxy Obsession blog, I proclaimed SRWare Iron as the best browser ever for using proxies. Now, meh... not so much. Iron has always lagged behind in updates compared to Chrome and though they're getting better they're still dog shit slow.

In fact, with all those fucking persnickety SOCKS proxies out there in the wild, I'm no longer convinced there is a single, one-size-fits-all proxy browser available today. So unless you want to fuck around with a CERN type proxy that uses SOCKS as a backend, you're going to be running at least two browsers. And that leaves us with two options: the Chromes and the Foxes.

The Chromes

Here is my ranking of the available chrome-ish browsers I've been using, from most-preferred to least-preferred:

1. Comodo Dragon - surprised? So was I. I never liked it much because they want to push their crap on you (like the Comodo Secure DNS servers, which are natural born ass-suckers). The last Flash update convinced me. Adobe was all butthurt because Google released a Flash fix for Chrome before Adobe could fix everyone else. Comodo was second, just a couple of hours behind. Impressive.
   
2. SRWare Iron - still an old stand-by. The best thing you can say about them is they aren't Google.
3. Chrome - fast, but... it's Google for crying out loud.

Chromes are great for CERN type proxies because they have the "-proxy-server=" command line switch. Just close the browser, edit the shortcut, and you're in business. But use a SOCKS proxy? You're fux0r3d.

The Foxes

Firefox is taking a beating in the marketplace and is expected to have it's 2nd place position usurped by Chrome by the end of the year, but it is still the most versatile from a proxy perspective, and all the myriad plug-ins make hacking fun! It's so versatile, you still need more than one. Here's my picks, from first to last.

1. Firefox 7.0.1 - or you can pick your own version. The only disappointment I've ever had with FF is the inability of the plug-in authors to keep up with it. And then there's that memory issue...
2. SeaMonkey - an ugly-as-fuck browser if there ever was one, but it doesn't eat memory up quite like FF. SeaMonkey was semi-abandoned a while ago but it's back now and better than ever.
   
3. Pale Moon - a serious contender for the #2 spot. I have only recently discovered it myself, but it's been around for a few years. There's even a 64bit version, but you may have plug-in issues.
   

It amazes me that all the Foxes still have that old, annoying "disappearing caret" problem they inherited from Netscape Navigator and sometimes they're just not paying attention when you click on a link.

You must run Ad Block Plus and NoScript on any Fox-like browser. User Agent Switcher is recommended, but not required.

DO NEVER USE

Added for completeness:

1. Safari - ugh. Just... don't
2. IE - any version
3. Any browser that can't override IE proxy settings (like Safari)
   

Feel free to add your least favorite browser to the DO NEVER USE list.

I ain't lyin'

When the Proxy List came back online in May, I added this little warning...

Times have changed, little ones. You cannot hide. By using a proxy you attract the attention of Powerful Forces™. The consequences will never be the same.

Recent events have shown this to be Sage Advice. They may try to convince you they're hiding your ass, but when the chips are down, they'll cover their own ass first.

It's your ass or their's and you will lose every time.

awmproxy.com

There's a lot of buzz lately about the guy who runs/ran awmproxy.com as being the "kingpin" behind the TDSS botnet, which was the bug responsible for all those port 27977 SOCKS proxies.

Not surprisingly, I used to scrape that site all the time, from the Fall of 2008 until early Winter 2010. According to the Krebs article, awmproxy started offering up proxies on March 16, 2008 which is—coincidentally—the day after I started the proxy project.

That site, as it existed back then at least, seemed like a typical proxy-for-pay scam, selling you a list of proxies you could get for nothing on your own. In fact, they had a slightly insecure way of passing out proxies to their paying customers. I stumbled across their "secret URL" with a random Google search and scraped thousands of good proxies every day throughout that whole time period.

Maybe they changed hands since then, but if you look at their offerings, they have never advertised port 27977 proxies. Compare this Google search to this one. Do the same search on the .net site and you'll find there are none there, either. But you will find the standard ports listed.

Sure, they're conspicuous by their absence, but every proxy lister and his brother had port 27977 proxies in their lists over the past year, so the advertising value alone would be worth listing them. Here are my numbers:

As you can see, they're gone now.

So why finger the only site that wasn't advertising these proxies?

Some consider Firefox plug-in to be a smoking gun, but it seems like a logical offering for a proxy provider. In fact, it's still available. I don't see how this plug-in would be valuable to a "bot" and would love to see someone evaluate the code and prove that it's inherently malicious.

Of course, there's no way in Hell I'd install it.

I don't want to appear to be an apologist or a defender of cybercriminals, but I'll be on the sidelines watching this drama pan out.

4.1 million proxies!

Almost a month after the 4,000,000 mark, that's about right. 100K proxies per month is a little high, just a little above average.

Here's the thing: that 0.1 million is 100% TCP port 8909 proxies.

Between midnight August 1st and this very moment (6AM on the 28th) I've snarfed up 105,272 of these suckers. That's over 2.5% of the entire database.

It looks like I was right about the demise of port 9415. Those boxes are gone. Here are the daily numbers from April 1st to now.

I am still looking for the port 8909 culprit. I downloaded QQPlayer_Setup_32_845.exe from "somewhere in China" and installed it on a VM to see if it opened up port 8909, but it didn't. It was a good suspect because it came out in June. Here it is...

Since it's in Chinese, running it is something of an issue for me. Even though this thing didn't open up port 8909, it does have some kind of built-in proxy capabilities. Take this DLL for example:

It's even signed by Verisign! Anyway, taking a quick peek reveals some interesting details (click for a larger view):

The presence of CStunClient and CStunSvr struck a note. "STUN" means "Session Traversal Utilities for NAT" and you can read all about it here. The problem is, STUN is typically a UDP thing whereas proxies (besides SIP proxies) use TCP. Still... it looks like a smoking gun.

Otherwise, the Youku/Tudou/QQ hegemony has been making a lot of news lately. Take this article for example. You may recall Tudou was responsible for port 9415.

This month I have learned that these proxies have more staying power than their port 9415 predecessors, which tended to disappear forever after they were gone. They do disappear, but they can come back after a few days. This means all those "dead" proxies that never made it into the gold table (over 88,000 timed out or the port was closed when they were first scraped) may still be usable.

Back in the USA, the SOCKS proxies march on, with the notable exception of port 27977. What is going on there?

Apparently this was the TDSS rootkit. This is one of the few sources I have found that specifically link TDSS with port 27977. TDSS was a tool leveraged by the Rustock botnet, which was taken down in March.

So you can put a fork in that one.

Skipped a beat... or two

Make that three.

I woke up this morning at about 6:15AM—which is late for me, but it's a weekend—and checked the proxy list to find there had been no updates since 4AM.

I did a hard Ctrl-F5 and came up with a "Host not found".

This is not the first time this has happened, and I've been waiting for it to happen again.

The first thing I did was do an nslookup on www.mrhinkydink.com.

SERVFAIL

So I tried www.Mrhinkydink.com (with a capitol "M")...

SUCCESS

Not this shit again.

I really didn't want to deal with it so I grudgingly added the addresses back into good old faithful /etc/hosts. WTF, it worked last time.

The 7AM and 8AM updates ran fine. Then, working on something else entirely, I borked the box—sucked up all the RAM & CPU cycles—during the 9AM run. By 10AM the list was back on schedule. Now, it's 11AM and it's back to normal, which is entirely different from "on schedule".

While messing around with all that crap, I popped in to the hosting provider to poke around. While there, I grabbed my stats, below. The bar graph is slightly truncated on the right.


These stats only go back to May, when I moved the list off GoDaddy. The Cameroonians lost their top spot to the USA, unless you consider "Hits" more important than "Pages". Then they're Numero Uno again. But Germany beats them all in bandwidth.

This is completely different from the Extreme-DM stats page, which only counts "unique visitors".

Russia didn't even make it to the top ten. No love for хинки? Probably not, considering I scraped all their proxies.

Port 8118 Proxies in the UAE

Besides all that proxy action going down in China, there have also been numerous flash mobs of port 8118 proxies lately in Muslim countries, especially the United Arab Emirates. But don't go rushing off to the List to find any. At the moment there's only one live port 8118 proxy in there.

Here is the breakdown by country. You can see the UAE (listed as AE below) is responsible for half of the total count.


They show up in groups and then they're gone, but if you can catch one on the first or second page, chances are it's alive.

8118 is well-known as the default port for Privoxy. In my experience, it's barely in the top twenty-five ports. As a matter of fact, it was #25 last time I checked. And when I checked, there were less than 8,000 total in the database.

Of those, about 2800 were in the UAE. 96% were listed this year. Of that number, 99.7% (2675) were listed since June first, which definitely qualifies as a flash mob.

Here is the breakdown by city...


It is definitely following the population of the UAE, but then these data always do.

My gut feeling is this is a symptom of the "Arab Spring", although the UAE has seen little civil unrest on that front. Perhaps they're opening their ports for their neighbors.

Or maybe they're just downloading porn protecting their privacy with Bit Torrent, since Privoxy seems to be a common Bit Torrent helper program.

Whatever the reason, they are there (when they're there), they're fast, and they're High Anon. If you find one, you might get an hour out of it.

The Last Days of Port 9415?

I just ran some quick numbers on the proxy database to see what's going on with ports 8909 and 9415. I did a couple of blog entries in May and June about port 9415, but I dropped the ball in July and then got distracted by port 8909 the first week of August.

What I found was this...


Port 9415 (blue) is indeed dropping like a rock and port 8909 (red) is becoming the dominant port.

Considering the source—public proxy lists—I have to wonder whether the proxy scanners have given up on 9415 or whether 9415 has simply run its course. With that in mind I looked at Dshield's data.


meh.

Hard to say. The "Target" line (green) reveals attempted port scans. Dshield gets their data from network dweebs who think their firewall logs are meaningful in some way, so their results are screwed skewed.

Here is Dshield's report on 8909...


Once again, we're looking at the green line. And once again... meh

Too bad there isn't a Chinese Dshield.

Have the scanners given up on port 9415? I would have to say no, but considering how awful those proxies were, I wouldn't blame them if they dropped 9415 in favor of the vastly superior port 8909 proxies. 9415 is just one number in a list of 65,535 numbers, and—trust me—they're scanning all of them.

I think there's some kind of real effect going on here. It would be nice if it was a result of my April disclosure about PPLiveAV, but it could be something else entirely.

Only about 750 unique addresses have been seen listening on both ports. Whether this is simply "DHCP churn" or users running both clients concurrently is unknown, but if it were a mass migration from the PPLive player to the Youku player, you'd think there would be more dual port database hits. However, from my research—which is limited at this time—I don't believe that the client software is interchangeable.

Time will tell where this trend is headed, but it's been less than a month since port 8909 showed up with the daily numbers it has now. If PPLiveAV was fixed, the "lessons learned" were lost on the developers of the Youku client software.

The things I do for you kidz

You may recall in March of this year, before the Great GoDaddy DMCA Takedown Incident, the machine running the Proxy Project died a terrible death. The sucker popped a heat sink and burnt itself out. I moved the project to a physical box—it had been a VM—and restored everything from backup. More precisely, I built a new box and restored the project—database and kidscripts—from backup.

I thought I had it nailed, but today I noticed I had missed one minor utility, gifsicle.

From the manpage...

gifsicle is a powerful command-line program for creating, editing, manipulating, and getting information about GIF images and animations.

I used it mostly on this site, one of those "dicey .ru domains" I've warned you about in the past...

It's not all that obvious at first glance, but the address/ports above are GIFs.  A number of proxy lists do this to prevent scraping, but it's ineffective and mostly it pisses off users who would rather simply cut&paste the information.

Since gifsicle was nowhere to be found on the hard drive, this site hadn't been scraped since March.  All gifsicle did was scale up the image for further processing by gocr, which converted the image back into text.

Once fixed, I ran my kidscript to see what I was missing.

I wasn't missing Jack Shit.  Same old crap.  Nothing that wasn't already in the database.  And less than 100 proxies total.

On top of the GIF trick this guy requires a cookie, which is a pain but not hard to pull off, but for this crap?  Dude, you're gonna get scraped and that guy will put your proxies in a list that will get scraped, so what is the point?  You're not guarding Fort Knox here.

Why do I bother?

Because I love doing this shit.

It's an obsession.

TCP Port 8909 Proxies

If you've been paying attention to the Proxy List you will have noticed the ramp up of Chinese proxies on port 8909.

In May, I pulled a paltry 32.

Things picked up in June. I scraped up 185.

In July things took off for port 8909, with a grand total of 23807.

Less than a week into the month of August, I have over 16,000 new ones!

At this point I have only scraped the surface of this, but it appears to be a mobile product called Youku player. You can download the Android version here if you dare.

Once again, like port 9415, these things come and go.

But they're not going away.

UPDATE 9:30AM

Unlike their cousins on port 9415 these are actually pretty damned good High Anon proxies. The speed is great. None were blocked by 4chan, which is highly unusual for any proxy. It seems like those in Shanghai are the most reliable, but that's just my first impression.  YMMV.

Government spooks and contractors take note: you can use these to stage your false flag attacks!

UPDATE 08/07/2011 7:30AM

I pulled 3,268 of these proxies since midnight. Out of those, 116 were alive. That's a 3.5% live hit rate, which is about 3.5 times the usual live hit rate for public proxy lists (1 out of 100 is typical).

At this rate—assuming they don't fix it—August should end with over 60,000 of these proxies.

And, so far, they have staying power. I routinely overcheck all Chinese proxies, since they historically have been so ephemeral. This is why the List expands and contracts during the day.

UPDATE 08/09/2011 5:50AM

Wow. August's count is already past July's, with 27,190 of these proxies scraped since the first. The List is 20 pages long and 79% of the proxies are 8909'ers.

Just... wow.

3.99 Million Proxies

We'll probably hit the 4 million mark tomorrow morning during the 4AM run, but there's a slight chance of it happening before midnight.

3,425 to go.  Right on schedule.  We always seem to roll over another mill in August.

The List is here, in case you forgot.  The count is buried in the HTML, in a comment under the closing "head" tag.

UPDATE

08/04/2011 0615 — Hung at 3,999,984 proxies. 6AM run A.W.O.L.
08/04/2011 0715 — 4,000,571 proxies! w00t!

Amazon EC2 Proxies

Back on Proxy Obsession, before I was so ignominiously bounced from GoDaddy, I mentioned an Irish proxy that was stable and fast. The IP belonged to Amazon Advanced Web Services, having a hostname ending in amazonaws.com.

I didn't think much about it at the time, other than to mention it, but it appears there are lots of folks putting up "private"—or so they believe—proxies on Amazon's "Elastic Compute Cloud" (a.k.a "EC2") service.

Well, surprise, they're not private and the proxy listers have been hunting and posting them for a long time, if my database is any indication.

I have them going back to 2008, when the list started, but there's been a lot of growth in this segment since 2010.

They're all either in Dublin or Seattle (with one outlier in Singapore), so that in itself is a dead giveaway. But GeoIP can't locate them all, so you really have to go by a reverse DNS lookup to tell for sure.

Here's a small sample of the DNS names I have collected...

Now, I have no idea whether these folks are violating Amazon's Terms of Service by doing this, and I really don't care whether they are or not, but there is all kinds of "HOWTO" information published on the Web on setting up a free EC2 proxy. Try this search, for example.

In fact the only reason I mention it now is Amazon's role in the recent SONY attack. Take for instance this Bloomberg report...

For three pennies an hour, hackers can rent Amazon.com Inc’s servers to wage cyber attacks such as the one that crippled Sony Corp’s PlayStation Network and led to the second-largest online data breach in U.S. history.  A hacker used Amazon’s Elastic Computer Cloud, or EC2, service to attack Sony’s online entertainment systems last month, a person with knowledge of the matter said May 13. The intruder, who used a bogus name to set up an account that’s now disabled, didn’t hack into Amazon’s servers...

So... there you have it.

With that in mind, I am now marking the IP address of EC2 proxies with a cross (†) on the proxy list. There aren't a lot of them, but they're in there.

Don't use them if you don't want to attract attention to yourself.

TCP 9415 Report for May 2011

Since my disclosure of the Chinese proxy issue back in April, I've been keeping an eye on the number of port 9415 proxies that pop up in the various lists I scrape every day.

This is how the numbers shook out for May 2011...

The month's total was up by ~16,000 proxies compared to April 2011, but the TCP 9415 percentage was down by 16 points.  April saw a 50/50 split between 9415 proxies and all others.

Comparing just the count of 9415 proxies, the numbers show a 20% drop from April.  China still has the biggest problem, but Taiwan, Hong Kong, Singapore, and Macau all managed to drop 30-50% by raw count.

I like to think I did that, but only time will tell.

End of the SOCKS Bubble?

Let me say right up front that I haven't run the numbers in depth yet, but it looks like the SOCKS boom is BUSTED in proxyland.

At this point in time, glancing over The List you'll see a few on the traditional SOCKS port (1080) and those mysterious port 27977 proxies. Just last month there were pages and pages and pages of port-hopping SOCKS4 proxies.

Where are they now? Did someone take down a botnet?

I haven't heard anything on that particular front since Microsoft & Rustock back in March, but SONY, RSA, PBS, et. al. have been hogging all the security news with their issues with LulzSec. You'd think after all that crap anyone who downed a botnet would be beating their drum pretty loud by now.

The daily numbers are pretty much the same. Every day I get 2500-5000 new proxies scraping the usual suspects. As usual, over half of them are Chinese, on port 9415.

I'm not all that sorry to see them go. Despite their usefulness for non-Web traffic, I have always preferred the plain old http (CERN) proxies, although lately I've been using a Glype proxy here and there (with NoScprit & Ad Block to kill the ads they try to shove down your throat) just because they're easy to use and generally dependable.

Maybe they'll return, but I have a feeling they're gone for now.

SOCKS Floaters

Here are two good examples of floating SOCKS proxies, taken from the latest database run.

The highlighted address was listening on two ports at the same time, but had also been seen on no less than six other ports during the same run.  The non-highlighted address was also listening on two distinct ports.  Those ports will eventually close and both addresses will reappear sooner or later on different ports.

This is more annoying than it is useful.

So what the hell is going on here?  I haven't done my homework yet, but I still have a gut feeling these are TOR nodes.  Of course, at one time I had a gut feeling all those Chinese proxies were malware, but we all saw how that turned out.

There are about 9,000 of these multi-port SOCKS4 proxies that have showed up since I started doing SOCKS back in March.  So many that I'm going to start flagging them on the list this weekend.

UPDATE 05/20/2011

I was somewhat surprised to see the number of plain old CERN proxies that were also running on floating ports, but they're still far outnumbered by the SOCKS floaters.

Since these SOCKS4 floaters seem to be as ephemeral as Chinese proxies, and therefore more trouble than they're worth, I am considering re-checking them between list publishing runs to keep their numbers down.  It doesn't help anyone to list them if they've moved on to another port.

23,000 IPs: 104 Proxies

The smackdown is on for 23,000 BitTorrent users who downloaded a Sylvester Stallone B-movie no one has ever heard of.  You can find the story at Wired.

You can also find a list of all the IP addresses here (PDF).

I figured this was right up my alley, so I compared the 23,000 addresses with the 3.7 million proxies in the database and got 104 hits (a whopping 0.45%).

149 if you count repeat offenders (the same IP address listening on different ports).

There is a smattering of obvious malware ports, mostly the ports Koobface has loved so much over the past two years (8085 and 9090), and our mystery port 27977.  There are a few traditional CERN type proxy ports (8080, 8000, etc), but the rest of them are all across the board, just like the SOCKS recidivists I mentioned on Proxy Obsession just before it went dark.

Are these repeat SOCKS4 offenders that we see in the proxy lists every fucking day actually BitTorrent clients on TOR?

I have to confess complete, utter stupidity on the inner workings of TOR, but I did some quick armchair research and it appears the likelihood is high that they are.  Or, at least, many may be.  TOR does indeed leverage SOCKS functionality, and, being part of the network, you'd have to leave the ports open, just waiting to be scanned by an army of proxy hunters.

And, the market for anonymizing BitTorrent over TOR is out there.

You learn something new every day.

If you have more information, enlighten me.

It's Heeeeeeeeeeeere!

It seems that the Universe is conspiring against me, trying everything in its power to prevent the resurrection of the List.

But it's back now, and the Cameroonian puppy scammers are whacking it like there's no tomorrow.  They way things are going, they might be right.

Last night, after I tweeted the announcement of the List's imminent rebirth, my system died.  That makes three so far this year.  I don't even have a box to play UT on anymore, which sucks out loud.

Then, the past came back to haunt me.  When I first set the account up with GoneDaddy back in '05, I wanted to go with Linux and I had selected Linux as the platform, but I hit the back button to check something and reset the choice to Windows.  HUGE mistake, but I decided to live with it. 

BAD decision.

The problem?  Windows is case insensitive.  Linux is not.  Since I hacked most of my graphics together with mspaint, they all had UPPER CASE extensions. 

I ran across this issue last year when I was hacking around with Nginx as a front end for Windows IIS servers.  It's like oil and water.  They just don't mix.  In fact the only sure fire way to beat the issue is to compile a case insensitive version of Linux, which breaks everything.

And of course, all the graphics files were backed up to the computer that died.

To top that issue off, I had used FileZilla to download the old site and in its infinite wisdom, it converted all those mixed case graphics to lower case.  If it had just left well enough alone, 90% of the graphics issues would have gone away.

But now all that's fixed and the List is up in all its former glory (minus the objectionable content that killed it--can you guess what that was?).  The Proxy Obsession links are all broken, of course, but I expect to fix that soon.

But not today.

How To Cut The "Proxy Problem" In Half

For those who don't know (and you know who you are), I have been professionally involved with proxies of one sort or another for over fifteen years.  For the past three years I've taken it upon myself to study the issue of open proxies in depth.  I scrape all the well-known proxy lists available on the Web, geolocate the IP addresses and collect the whole mess in a MySQL database. 

Besides the well-known lists I have also been lucky enough to have stumbled upon some private, "for pay" proxy lists whose operators didn't know how to write a proper robots.txt file and a handful of hacker and SPAMmer sites that kept their own lists.  In fact 20% of the database came from just one of those hacker sites.

On the 19th of April, I published a notice explaining the origin of the ubiquitous port 9415 proxies, which result from insecure default settings in a popular software package with 100,000,000 (one hundred million) active users, most of whom live in China.  Someone didn't like that and as a result I'm no longer publishing my results in the venues you were used to finding them.  Except for this one, and there's no telling how long it will last.

Why?  Here's some Wild Speculation™.  You don't have to believe a word of it.  It's presented to make you go "hmmm".  If you own a tinfoil hat, please put it on now.

There has been a lot of press about cyberwar these days.  And a lot of hype.  But there have been few skeptics (see this Forbes article for a good dose of cyberskepticism).  A lot of the hype could be spin from the HBGary story of earlier this year.  Spin in the form of generating fear.  We must protect ourselves from the Cyber Boogie Man.

So what, if anything, does this have to do with Chinese proxies?  They make an excellent choice for covert false flag operations.  A jump point if you need to convince someone (perhaps with budget authority) of the grim reality of an Advanced Persistent Threat.

That's it.  At least it makes me go "hmmm".  I would think that someone would like to see these proxies disappear, especially the company that wrote the software, unless they're spooks, too.

With that in mind, we're going to track these proxies for the next few months.  I have a feeling they will never go away, even though it should be a simple fix for the people who wrote the software.  Here are the numbers as I saw them for April, 2011:

As you can see, port 9415 proxies are almost half of all proxies published on proxy lists.  For the people who think proxies are a Bad Thing, there you go.  Fix these and you cut the problem in half.  I'll even let you take all the credit for doing it.  You'll be heroes.

And I'll be the Bad Guy.

Again.

Insecure Defaults In PPLiveVA Client

Insecure Defaults In PPLiveVA Client
====================================

The Great Firewall is full of holes.

From http://www.synacast.com/en/ ...

"PPLive has more than 200 million user installations and its active monthly user base (as of Dec 2010) is 104 million, i.e, PPLive has a 43% penetration of Chinese internet users. With its innovative user experiences, such as live chatting, and SNS, average viewing time per person per day has reach over 2 hours and 30 minutes, the highest stickiness among all China websites."

The Intro
=========
Anyone who has followed public proxy lists in the past year has noticed there are thousands of new open proxies listening on port 9415 listed every day. In the past year I have documented over 394,000 port 9415 proxies from these public lists. Geolocation of the IP addresses indicates they are widespread mostly in China but also in Taiwan, Macau, Hong Kong, and pockets of the US where Chinese is likely to be spoken.

I initially suspected some kind of malware. Finding nothing in Google (searching for 9415 will get you a lot of proxy lists), I eventually started searching Baidu. The results were immediate.

These proxies are built into the PPLiveVA client to retrieve an internal PAC (proxy autoconfiguration) file from the following URL:

http://localhost:9415/tudouva.pac

Replacing "localhost" with the IP of an active port 9415 proxy (if you can find one) will get you the PAC file, shown below:

function FindProxyForURL(url, host){
if(isPlainHostName(host) || url.substring(0,5) != "http:" || shExpMatch(url,"http://localhost:*") || shExpMatch(url,"http://127.0.0.1:*"))
return "DIRECT";
if(shExpMatch(url, "*.flv*") || shExpMatch(url, "*.mp4*") || shExpMatch(url, "*.m4v*") || shExpMatch(url, "*.f4v*"))
{
if(shExpMatch(url, "*hzplayer0.tudou.com*"))
return "DIRECT";
else
return "PROXY 127.0.0.1:9415";
}
else
return "DIRECT";
}

Obviously, the proxy should be listening on 127.0.0.1 only, but in practice it listens on all interfaces.

The Outro
=========
It looks like there are 100 million open proxies in China, thanks to this software. Pick a Chinese IP address, scan for port 9415. You'll get one sooner or later. I don't consider this a 0day, since it's been going on for over a year. Responsible disclosure? meh. A little late for that.

The fact is, they're pretty crappy proxies.

More Info
=========
http://proxyobsession.net/?p=1534

More Proxies
============
http://www.mrhinkydink.com/proxies.htm

Originally published 04/19/2011