« October 2009 · April 2010 · November 2015 »

December 2009
January 2010
February 2010


  • No entries for February 2010.
  • 29.01.2010: See below.
  • 19.01.2010: Cyber Espionage: Death by 1000 Cuts
  • 16.01.2010: DDoS for Hire - More cooperation, or new competition? UPDATED
  • 09.01.2010: DDoS for Hire - More cooperation, or new competition?
  • 16.12.2009: Conficker may be forgotten, but it's not gone...
  • 14.12.2009: When PDFs Attack II - New Adobe Acrobat [Reader] 0-Day On the Loose
Newest first Oldest first

Friday, 29 January 2010

Pushdo DDoS'ing or Blending In?

Is your site on the list we have posted here or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth.

What's going on here? Well it seems the Pushdo botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites. Special thanks to Joe Stewart from SecureWorks for pointing this out earlier in the week when some of us were scratching our heads. Our friends over at ZeuS tracker noticed a big uptick in port 443 traffic to their website early this week. They thought they were being DDoS'd. Technically they are being attacked, although knocking the sites offline doesn't seem to be the goal. The bots seem to start to initiate an SSL connection and a bit of junk to the websites and then disconnect. They do not actually request an resources from the website or do anything else other than repeat the cycle periodically. They are doing this to hundreds of sites all day long. We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn't quite look like a DDoS either.

ZeuS tracker tells us they have counted multiple hundreds of thousands of unique IPs hitting their site in just over a 24 hour period. This is a lot of bots generating a lot of traffic. Check the list below or the link above to see if you too are a lucky recipient of this traffic.

To give you an idea of how quickly these the botnet looks up these sites, we've posted a Wireshark screen shot below.

A Solution to the Problem?

Unfortunately for the hostnames below, changing your IP address might be a short temporary reprieve from some of the bots that have the old IP cached. However, they will eventually find your site again as they are actual DNS entries and not in there by IP address. If you operate one of the IP addresses in the list, you could likely change IPs to head off this issue since they are not using a hostname in these cases. If someone has good way to mitigate these attacks that we can post, please feel free to send us an e-mail and we will post it up for others.

Site List that Pushdo is Attacking/Sending Traffic To

The table below is a list of all of the sites for which Pushdo has been making or attempting to make SSL connections. This might help explain a large uptick in traffic for many. If not then you might want to take a closer look.

1 2 3 4 labs.ericsson.com sso.state.mi.us www.icsalabs.com launchpad.net stat.komet.ru www.imcworldwide.org lg3d-core.dev.java.net stat.profintel.ru www.indianacareerconnect.com light.webmoney.ru store.gearboxsoftware.com www.inhope.org liqpay.com store.omnigroup.com www.insight.com live.xbox.com support.msn.com www.intwayfunds.com login.postini.com testpilot.mozillalabs.com www.intwaypassport.com mail.internet2.edu thepiratebay.org www.ippc.int mail.riseup.net tickets.landmarktheatres.com www.it-isac.org mappoint-css.live.com tips.fbi.gov www.jieddo.dod.mil mashedlife.com tms.symantec.com www.kaiserpermanente.org mcp.microsoft.com toefl-registration.ets.org www.key.com mfi-assets.ecb.int torstat.xenobite.eu www.last.fm microsoft.embeddedoem.com trac.cakephp.org www.mail.yale.edu money.yandex.ru twitter.com www.manpower.usmc.mil mozillalabs.com ucclaim-wi.org www.medicalcountermeasures.gov mozy.com uce.ieee.org www.mesh.com mwe.dllr.state.md.us ugsp.nih.gov www.microplace.com my.ispsystem.com unp.un.org www.microsoft.com.nsatc.net my.pair.com us.etrade.com www.microsoftfinancing.com my.pbworks.com vacancies.gns.cri.nz www.mobi-money.ru my.t-mobile.com webcenter.applyyourself.com www.mochimedia.com my.usda.gov webgis.usc.edu www.moneymail.ru
abonent.udm.vt.ru mya.godaddy.com wfis.wellsfargo.com www.myfloridalicense.com
acc.dau.mil myaccount.ddo.com wiki.ubuntu.com www.mylookout.com
accesstraining.dest.gov.au mygrantinfo.csac.ca.gov wist.echo.nasa.gov www.mymeetings.com
acemanager.bnpparibas.com myrewardzone.bestbuy.com wm.exchanger.ru www.myresearchproject.org.uk
adcenter.looksmart.com mytax.iras.gov.sg www-1.redhatmagazine.com www.ncoic.org
addons.mozilla.org nafpay.afsv.net www.23andme.com www.nebraska.gov
admin.acrobat.com netbenefits.fidelity.com www.24hraccess.com www.noridianmedicare.com
admin.fedoraproject.org nhworksjobmatch.nhes.nh.gov www.accountonline.com www.notams.jcs.mil
affiliate-program.amazon.com ns.iana.org www.activeu.org www.npdb-hipdb.hrsa.gov
app01.usatogether.org oh.train.org www.annualcreditreport.com www.nysdot.gov
bank.eximb.com one.ubuntu.com www.arizonavirtualonestop.com www.openeco.org
bespin.mozilla.com online.kitco.com www.artemisia-association.org www.optoutprescreen.com
billing.kpi.ua open.umich.edu www.arvest.com www.or-medicaid.gov
blog.startcom.org openid.net www.avuecentral.com www.paypal-marketing.co.uk
blogs.apache.org oscar.symplicity.com www.aw2.army.mil www.paypal-shopping.com
book.malaysiaairlines.com partner.microsoft.com www.badgeguys.com www.paypal.com
bookstore.transportation.org passport.webmoney.ru www.bankofky.com www.peoples.com
bsd.officedepot.com pay.spacegate.bz www.beartracks.ualberta.ca www.pmf.opm.gov
bugs.webkit.org personal.vanguard.com www.bluetooth.org www.racf.bnl.gov
cabig.nci.nih.gov player.helixcommunity.org www.bmoinvestorline.com www.redhat.com
cc.readytalk.com portal.accaglobal.com www.bpn.gov www.regnow.com
chrome.google.com portal.bccampus.ca www.bwin.com www.researchgate.net
co.clickandpledge.com portal.gs.com www.capitaller.ru www.revisor.mn.gov
connect.microsoft.com privat24.privatbank.ua www.caro.net www.rhce.ca
cpdsearch.tda.gov.uk products.appliedbiosystems.com www.cci-icc.gc.ca www.rkb.us
data.nasdaq.com profile.ea.com www.cdproject.net www.sans.org
depot.info.apple.com qolps.qub.ac.uk www.chase.com www.sbrf.ru
destroytwitter.com reach-it.echa.europa.eu www.cia.gov www.securityguidance.com
developer.mozilla.org recruit.ap.uci.edu www.commonapp.org www.sedex.org.uk
dod-emall.dla.mil research.venterinstitute.org www.copilot.com www.seringas.caissedesdepots.fr
donate.doctorswithoutborders.org review.ieice.org www.cresis.ku.edu www.shakeweight.com
donate.pih.org rita.nrf.gov.sg www.cu.edu www.shareholder.ru
donotcontact.utah.gov riweb.rotaryintl.org www.directvote.net www.sitelutions.com
dragon.pop.indiana.edu rr-n1-tor.opensrs.net www.donate.bt.com www.snapnames.com
e-gap.royalsociety.org rsr-olymp.ru www.donhr.navy.mil www.spdrs.com
ebidmarketplace.com sa.www4.irs.gov www.dreamspark.com www.studentloan.com
eduforge.org sailearningconnection.skillport.com www.dropbox.com www.studyabroad.uiuc.edu
eopen.microsoft.com scaccess.communityos.org www.dtic.mil www.sugarsync.com
erecruit.ilo.org schoolalerts.iowa.gov www.e-typedesign.co.uk www.telebank.ru
fjallfoss.fcc.gov seal.verisign.com www.employflorida.com www.theabfm.org
forge.betavine.net secure.grepular.com www.etde.org www.torproject.org
forum.defcon.org secure.in.gov www.fastlane.nsf.gov www.trustwave.com
forums.garmin.com secure.logmein.com www.fpds.gov www.uibenefits.dol.ks.gov
forums.nordrus.info secure.ncjoblinkmis.com www.fsd.gov www.urs.apply2jobs.com
forums.weather.com secure.skype.com www.geezeo.com www.vancity.com
garage.maemo.org secure.ssa.gov www.glgpartners.com www.virtualizationhero.net
germany.embassy.gov.au serviceguide.megafonnw.ru www.gtap.agecon.purdue.edu www.webmoney.kz
gn.eoil.ru serviceguide.megafonvolga.ru www.guardiananytime.com www.windowsupdate.com
golearn.csd.disa.mil shop.aafes.com www.habitat.org www.x.com
hostmaster.net.ua shop.maxim-ic.com www.healthspace.nhs.uk www.yahoo.com
https.openbsd.org signup.live.com www.hedgefundresearch.com www.yammer.com
imo.im slx.sun.com www.hibernate.org www134.americanexpress.com
incometaxindiaefiling.gov.in solvnet.synopsys.com www.hnfs.net www2.gotomeeting.com
iz.mersyss.ru spaces.internet2.edu www.hsdl.org z-payment.ru
javacc.dev.java.net ssl.bing.com www.huntington.com zeustracker.abuse.ch

=>Posted January 29, 2010, at 11:10 AM by Steven Adair