Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Targets Web Sites With Junk SSL Connections

Posted by kdawson on from the look-over-there dept.

angry tapir writes "More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet. The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline. Pushdo appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites — the bots start to create an SSL connection, disconnect, and then repeat." SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.

5 of 64 comments (clear)

  1. Re:SSL traffic by drinkypoo · · Score: 4, Informative

    Do they realise that SSL traffic causes a higher load on the server than a regular request? This would be an indication it is trying to bring the site down.

    Requesting an SSL connection and then never making it takes a lot less load than actually retrieving a page. It doesn't really suggest a takedown attempt, for which there are superior strategies.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Re:From TFA by scdeimos · · Score: 4, Informative

    I tend to agree with you that this sort of thing should still be relatively easy to pickup in logs - on proxies as well as the border routers. A lot of people are probably forgetting that SSL through proxies still needs a CONNECT originserver:443 HTTP/1.x request, which gets logged, even if all of the traffic is encrypted on the tunnel after that.

  3. infected computers by viralMeme · · Score: 2, Informative

    What desktop Operating System does this Pushdo botnet require to operate ?

    "Once executed the malware first tests to see if it's currently running as the hardcoded value "rs32net.exe" in the system folder (C:\Windows\System32 by default)"

  4. $employer is on the target list of pushdo drones by nfsilkey · · Score: 2, Informative

    According to our graphs, our targeted frontend is taking the drone's trashy SSL requests like a champ (reverse-proxies are humming as expected, no inordinate load, etc).

    You too can see if you are on the hitlist: http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129

  5. Over the last 24 hours add more to the list! by NSN+A392-99-964-5927 · · Score: 2, Informative

    Apple, Customs and Excise UK Inland Revenue. Greater Manchester Police. My friend is a dev and net admin at PayPal/Ebay and although he shall remain nameless for his privacy. In his own words bunch of lazy fat cat bastards. Sorry for swearing, but he has been a guru in IT for the past 30 years and a top programmer. He said he is trying to undo and secure systems where security is very lax indeed and said it is like banging his head against a brick wall with some very senior management.

    --
    All cows eat grass!