Botnet Targets Web Sites With Junk SSL Connections

angry tapir writes "More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet. The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline. Pushdo appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites — the bots start to create an SSL connection, disconnect, and then repeat." SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.

Re:SSL traffic

[drinkypoo]

Do they realise that SSL traffic causes a higher load on the server than a regular request? This would be an indication it is trying to bring the site down.

Requesting an SSL connection and then never making it takes a lot less load than actually retrieving a page. It doesn't really suggest a takedown attempt, for which there are superior strategies.

Re:From TFA

[scdeimos]

I tend to agree with you that this sort of thing should still be relatively easy to pickup in logs - on proxies as well as the border routers. A lot of people are probably forgetting that SSL through proxies still needs a CONNECT originserver:443 HTTP/1.x request, which gets logged, even if all of the traffic is encrypted on the tunnel after that.