Botnet Targets Web Sites With Junk SSL Connections 64
angry tapir writes "More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet. The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline. Pushdo appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites — the bots start to create an SSL connection, disconnect, and then repeat." SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.
Re:SSL traffic (Score:5, Informative)
Do they realise that SSL traffic causes a higher load on the server than a regular request? This would be an indication it is trying to bring the site down.
Requesting an SSL connection and then never making it takes a lot less load than actually retrieving a page. It doesn't really suggest a takedown attempt, for which there are superior strategies.
Re:From TFA (Score:5, Informative)
infected computers (Score:3, Informative)
"Once executed the malware first tests to see if it's currently running as the hardcoded value "rs32net.exe" in the system folder (C:\Windows\System32 [trendmicro.com] by default)"
$employer is on the target list of pushdo drones (Score:3, Informative)
According to our graphs, our targeted frontend is taking the drone's trashy SSL requests like a champ (reverse-proxies are humming as expected, no inordinate load, etc).
You too can see if you are on the hitlist: http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129 [shadowserver.org]
Over the last 24 hours add more to the list! (Score:2, Informative)