Botnet Targets Web Sites With Junk SSL Connections

angry tapir writes "More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet. The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline. Pushdo appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites — the bots start to create an SSL connection, disconnect, and then repeat." SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.

Re:nginx to the rescue?

[JWSmythe]

    It sounds like some pretty old fashion DoS/DDoS attacks. What's so fancy about initiating multiple requests, and leaving them hanging? Folks have been tuning up their http servers to handle this for years. Why can't they tune up their https side too, other than the admins being lazy or inept?

Re:nginx to the rescue?

[lastomega7]

I don't think the point is for denial of service. If all the nodes on the botnet send out requests that are indistinguishable from a command from the botnet controller it makes for a nice cloaking shield for the command center.

Re:nginx to the rescue?

[JWSmythe]

    Not really.

    I've had to parse logs for similar things. Thousands of requests hit a particular exploitable web page, but only one or two IP's are sending further information. It's easy to trim it down the list of candidates, and find who the real problem is.

    That's what the feds do in any investigation. They have a broad list of suspects. They eliminate folks until they have their persons of interest, and then down to the guy who they'll be convicting.

Re:From TFA

[Mr. Freeman]

Why is this such a good solution? Have people forgotten how to parse logs? Shouldn't be that difficult to differentiate a connect/disconnect from a connect, send real data, disconnect.

Re:How to stop bot nets

[Anonymous Coward]

is that because the antivirus program makes the computer crawl to a halt so the bot program has no CPU resources left to run?

ftfy

[Anonymous Coward]

    Not really.

    I've had to parse logs for similar things. Thousands of requests hit a particular exploitable web page, but only one or two IP's are sending further information. It's easy to trim it down the list of candidates, and find who the real problem is.

    That's what the feds do in any investigation. They have a broad list of suspects. They eliminate folks until they have their persons of interest, and then down to the guy who they'll be charging.

Re:From TFA

[Anonymous Coward]

Dude, like maybe it doesn't NEED to send anything.
Maybe like, the connections themselves ARE the data.
Whoooaaa.

Re:From TFA

[Runaway1956]

Moral standards? What are those? God, I hate obscure standards!!

Oh, wait - didn't Microsoft Embrace, Extend, and Extinguish moral standards years back? It's hard to remember . . .

Re:time for a bayesian protocol filter?

[zix619]

the problem is that it takes so much CPU load and time for training and in addition what to do with the false positives?