Tracking Malware With Public Proxy Lists

Public open proxy lists have been compiled and published on the Web for over adecade. A simple search for proxy list will return hundreds of thousands of results from sites offering anonymity and privacy for Web surfers, often as a comeand#8208;on for paid, Elite services. The pages of many of these sites list hundreds of Internet Protocol (IP) addresses and port numbers of hosts across the world. Individually, these sites represent a nuisance, but collectively they contain a massive amount of data that can be leveraged to ascertain and often predict the spread of certain forms of malware. With simple tools, it is possible to establish a baseline of known proxies, monitor the most active sites, and track the spread of new proxies over time, often with surprising results. A two and a half year study of proxy lists demonstrates that evidence of the Koobface worm appeared in these lists months before press reports of its spread appeared. It is recommended that the security community monitor the valuable information these lists contain.