Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Targets Web Sites With Junk SSL Connections

Posted by kdawson on from the look-over-there dept.

angry tapir writes "More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet. The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline. Pushdo appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites — the bots start to create an SSL connection, disconnect, and then repeat." SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.

9 of 64 comments (clear)

  1. Re:nginx to the rescue? by JWSmythe · · Score: 1, Insightful

        It sounds like some pretty old fashion DoS/DDoS attacks. What's so fancy about initiating multiple requests, and leaving them hanging? Folks have been tuning up their http servers to handle this for years. Why can't they tune up their https side too, other than the admins being lazy or inept?

    --
    Serious? Seriousness is well above my pay grade.
  2. Re:nginx to the rescue? by lastomega7 · · Score: 2, Insightful

    I don't think the point is for denial of service. If all the nodes on the botnet send out requests that are indistinguishable from a command from the botnet controller it makes for a nice cloaking shield for the command center.

  3. Re:nginx to the rescue? by JWSmythe · · Score: 4, Insightful

        Not really.

        I've had to parse logs for similar things. Thousands of requests hit a particular exploitable web page, but only one or two IP's are sending further information. It's easy to trim it down the list of candidates, and find who the real problem is.

        That's what the feds do in any investigation. They have a broad list of suspects. They eliminate folks until they have their persons of interest, and then down to the guy who they'll be convicting.

    --
    Serious? Seriousness is well above my pay grade.
  4. Re:From TFA by Mr.+Freeman · · Score: 3, Insightful

    Why is this such a good solution? Have people forgotten how to parse logs? Shouldn't be that difficult to differentiate a connect/disconnect from a connect, send real data, disconnect.

    --
    -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
  5. Re:How to stop bot nets by Anonymous Coward · · Score: 5, Insightful

    is that because the antivirus program makes the computer crawl to a halt so the bot program has no CPU resources left to run?

  6. ftfy by Anonymous Coward · · Score: 1, Insightful

        Not really.

        I've had to parse logs for similar things. Thousands of requests hit a particular exploitable web page, but only one or two IP's are sending further information. It's easy to trim it down the list of candidates, and find who the real problem is.

        That's what the feds do in any investigation. They have a broad list of suspects. They eliminate folks until they have their persons of interest, and then down to the guy who they'll be charging.

  7. Re:From TFA by Anonymous Coward · · Score: 2, Insightful

    Dude, like maybe it doesn't NEED to send anything.
    Maybe like, the connections themselves ARE the data.
    Whoooaaa.

  8. Re:From TFA by Runaway1956 · · Score: 2, Insightful

    Moral standards? What are those? God, I hate obscure standards!!

    Oh, wait - didn't Microsoft Embrace, Extend, and Extinguish moral standards years back? It's hard to remember . . .

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  9. Re:time for a bayesian protocol filter? by zix619 · · Score: 2, Insightful

    the problem is that it takes so much CPU load and time for training and in addition what to do with the false positives?