News Insider Threat
Botnet Floods Major Websites With Fake SSL Connections
DDoS-like traffic surge against CIA, Chase, Google Chrome, FBI, and others has researchers puzzled by Pushdo botnet's plans
A spamming botnet known for keeping a low profile has been hammering hundreds of Websites -- including the CIA, Chase, Mozilla Labs, Twitter, SANS, Google Chrome, and the FBI -- during the past week with an unusually conspicuous amount of phony traffic that has researchers rushing to analyze its next move.
The Pushdo botnet, a.k.a. "Cutwail" and "Pandex," has been flooding those sites with bogus SSL connections that stop short of requesting anything from the Website. The infected bots begin to initiate an SSL connection with some "junk" traffic and then disconnect, according to The Shadowserver Foundation. Shadowserver and other researchers have been monitoring the activity, which increased traffic by several million hits across several hundred thousand IP addresses, according to Shadowserver.
More Security Insights
White PapersMore >>
The botnet hit the ZeusTracker Website, for example, with hundreds of thousands of different IP addresses within a 24-hour period. "This is a lot of bots generating a lot of traffic," blogged Steven Adair, a researcher with Shadowserver. Recent code changes to Pushdo resulted in its bots generating the "junk" SSL connections to the 315 Websites, he said.
So what is Pushdo up to? Joe Stewart, director of malware research for Secureworks, says the botnet is making fake SSL connection attempts: Malformed packets cause the server to return an SSL negotiation error. "By adding the initial header of an SSL conversation, they may be attempting to avoid closer scrutiny by less vigilant inspection devices," Stewart says. "And by sending a flurry of these connections to a number of legit 'decoy' sites, it helps the Pushdo C&C [command and control] traffic blend in and remain undetected in some cases," he says.
It's unclear thus far whether this is a test-run for phony SSL connections gone amuck that ended up exposing this Pushdo traffic, or something else. Stewart says it's possible there could be more to the latest activity, such as the botnet's rotating its target lists. "It's hard to say," he says.
Blending in has traditionally been Pushdo's trademark: Although it's one of the top five spamming botnets, it's also one of the more under-the-radar botnets around. But this latest activity has researchers wondering how this massive surge of traffic, which resembles a distributed denial-of-service (DDoS) attack, would ultimately help its traffic blend in and become less detectable.
Shadowserver says the traffic is technically an attack, even though it doesn't appear to be trying to knock the sites offline like a DDoS does. "We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn't quite look like a DDoS either," Adair says.
Secureworks' Stewart says he has witnessed botnets sending traffic via SSL or port 443, but this phony SSL connection attempt is a first. "The Pushdo C&C protocol now also uses similar packets to encapsulate its encrypted/compressed phone-home requests," he says. "Port 443 is commonly being used to proxy all kinds of non-SSL traffic by legit applications and bots alike, so it stands to reason that a heuristic one might look for suspicious or firewall-policy-violating traffic connections over port 443 that aren't using SSL. "
The surge in traffic from Pushdo could cause problems for Websites with limited bandwidth and that typically get only a few hundred to a few thousand hits daily, Shadowserver says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.