« October 2009 · April 2010 · April 2014 »

December 2009
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28293031   
January 2010
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031
February 2010
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728

Calendar:

  • No entries for February 2010.
  • 29.01.2010: See below.
  • 19.01.2010: Cyber Espionage: Death by 1000 Cuts
  • 16.01.2010: DDoS for Hire - More cooperation, or new competition? UPDATED
  • 09.01.2010: DDoS for Hire - More cooperation, or new competition?
  • 16.12.2009: Conficker may be forgotten, but it's not gone...
  • 14.12.2009: When PDFs Attack II - New Adobe Acrobat [Reader] 0-Day On the Loose
Newest first Oldest first

Friday, 29 January 2010

Pushdo DDoS'ing or Blending In?

Is your site on the list we have posted here or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth.

What's going on here? Well it seems the Pushdo botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites. Special thanks to Joe Stewart from SecureWorks for pointing this out earlier in the week when some of us were scratching our heads. Our friends over at ZeuS tracker noticed a big uptick in port 443 traffic to their website early this week. They thought they were being DDoS'd. Technically they are being attacked, although knocking the sites offline doesn't seem to be the goal. The bots seem to start to initiate an SSL connection and a bit of junk to the websites and then disconnect. They do not actually request an resources from the website or do anything else other than repeat the cycle periodically. They are doing this to hundreds of sites all day long. We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn't quite look like a DDoS either.

ZeuS tracker tells us they have counted multiple hundreds of thousands of unique IPs hitting their site in just over a 24 hour period. This is a lot of bots generating a lot of traffic. Check the list below or the link above to see if you too are a lucky recipient of this traffic.

To give you an idea of how quickly these the botnet looks up these sites, we've posted a Wireshark screen shot below.

A Solution to the Problem?

Unfortunately for the hostnames below, changing your IP address might be a short temporary reprieve from some of the bots that have the old IP cached. However, they will eventually find your site again as they are actual DNS entries and not in there by IP address. If you operate one of the IP addresses in the list, you could likely change IPs to head off this issue since they are not using a hostname in these cases. If someone has good way to mitigate these attacks that we can post, please feel free to send us an e-mail and we will post it up for others.

Site List that Pushdo is Attacking/Sending Traffic To

The table below is a list of all of the sites for which Pushdo has been making or attempting to make SSL connections. This might help explain a large uptick in traffic for many. If not then you might want to take a closer look.

1 2 3 4
141.146.8.193 labs.ericsson.com sso.state.mi.us www.icsalabs.com
142.205.233.80 launchpad.net stat.komet.ru www.imcworldwide.org
170.148.0.77 lg3d-core.dev.java.net stat.profintel.ru www.indianacareerconnect.com
198.64.146.50 light.webmoney.ru store.gearboxsoftware.com www.inhope.org
204.99.16.145 liqpay.com store.omnigroup.com www.insight.com
212.118.48.21 live.xbox.com support.msn.com www.intwayfunds.com
212.158.173.149 login.postini.com testpilot.mozillalabs.com www.intwaypassport.com
216.139.227.91 mail.internet2.edu thepiratebay.org www.ippc.int
216.49.88.20 mail.riseup.net tickets.landmarktheatres.com www.it-isac.org
216.9.245.101 mappoint-css.live.com tips.fbi.gov www.jieddo.dod.mil
217.12.97.63 mashedlife.com tms.symantec.com www.kaiserpermanente.org
217.65.2.187 mcp.microsoft.com toefl-registration.ets.org www.key.com
63.245.209.120 mfi-assets.ecb.int torstat.xenobite.eu www.last.fm
64.191.3.70 microsoft.embeddedoem.com trac.cakephp.org www.mail.yale.edu
64.233.183.63 money.yandex.ru twitter.com www.manpower.usmc.mil
64.38.232.180 mozillalabs.com ucclaim-wi.org www.medicalcountermeasures.gov
66.179.111.12 mozy.com uce.ieee.org www.mesh.com
75.126.159.19 mwe.dllr.state.md.us ugsp.nih.gov www.microplace.com
80.69.146.12 my.ispsystem.com unp.un.org www.microsoft.com.nsatc.net
82.198.171.192 my.pair.com us.etrade.com www.microsoftfinancing.com
84.19.191.55 my.pbworks.com vacancies.gns.cri.nz www.mobi-money.ru
86.59.21.36 my.t-mobile.com webcenter.applyyourself.com www.mochimedia.com
87.106.254.245 my.usda.gov webgis.usc.edu www.moneymail.ru
abonent.udm.vt.ru mya.godaddy.com wfis.wellsfargo.com www.myfloridalicense.com
acc.dau.mil myaccount.ddo.com wiki.ubuntu.com www.mylookout.com
accesstraining.dest.gov.au mygrantinfo.csac.ca.gov wist.echo.nasa.gov www.mymeetings.com
acemanager.bnpparibas.com myrewardzone.bestbuy.com wm.exchanger.ru www.myresearchproject.org.uk
adcenter.looksmart.com mytax.iras.gov.sg www-1.redhatmagazine.com www.ncoic.org
addons.mozilla.org nafpay.afsv.net www.23andme.com www.nebraska.gov
admin.acrobat.com netbenefits.fidelity.com www.24hraccess.com www.noridianmedicare.com
admin.fedoraproject.org nhworksjobmatch.nhes.nh.gov www.accountonline.com www.notams.jcs.mil
affiliate-program.amazon.com ns.iana.org www.activeu.org www.npdb-hipdb.hrsa.gov
app01.usatogether.org oh.train.org www.annualcreditreport.com www.nysdot.gov
bank.eximb.com one.ubuntu.com www.arizonavirtualonestop.com www.openeco.org
bespin.mozilla.com online.kitco.com www.artemisia-association.org www.optoutprescreen.com
billing.kpi.ua open.umich.edu www.arvest.com www.or-medicaid.gov
blog.startcom.org openid.net www.avuecentral.com www.paypal-marketing.co.uk
blogs.apache.org oscar.symplicity.com www.aw2.army.mil www.paypal-shopping.com
book.malaysiaairlines.com partner.microsoft.com www.badgeguys.com www.paypal.com
bookstore.transportation.org passport.webmoney.ru www.bankofky.com www.peoples.com
bsd.officedepot.com pay.spacegate.bz www.beartracks.ualberta.ca www.pmf.opm.gov
bugs.webkit.org personal.vanguard.com www.bluetooth.org www.racf.bnl.gov
cabig.nci.nih.gov player.helixcommunity.org www.bmoinvestorline.com www.redhat.com
cc.readytalk.com portal.accaglobal.com www.bpn.gov www.regnow.com
chrome.google.com portal.bccampus.ca www.bwin.com www.researchgate.net
co.clickandpledge.com portal.gs.com www.capitaller.ru www.revisor.mn.gov
connect.microsoft.com privat24.privatbank.ua www.caro.net www.rhce.ca
cpdsearch.tda.gov.uk products.appliedbiosystems.com www.cci-icc.gc.ca www.rkb.us
data.nasdaq.com profile.ea.com www.cdproject.net www.sans.org
depot.info.apple.com qolps.qub.ac.uk www.chase.com www.sbrf.ru
destroytwitter.com reach-it.echa.europa.eu www.cia.gov www.securityguidance.com
developer.mozilla.org recruit.ap.uci.edu www.commonapp.org www.sedex.org.uk
dod-emall.dla.mil research.venterinstitute.org www.copilot.com www.seringas.caissedesdepots.fr
donate.doctorswithoutborders.org review.ieice.org www.cresis.ku.edu www.shakeweight.com
donate.pih.org rita.nrf.gov.sg www.cu.edu www.shareholder.ru
donotcontact.utah.gov riweb.rotaryintl.org www.directvote.net www.sitelutions.com
dragon.pop.indiana.edu rr-n1-tor.opensrs.net www.donate.bt.com www.snapnames.com
e-gap.royalsociety.org rsr-olymp.ru www.donhr.navy.mil www.spdrs.com
ebidmarketplace.com sa.www4.irs.gov www.dreamspark.com www.studentloan.com
eduforge.org sailearningconnection.skillport.com www.dropbox.com www.studyabroad.uiuc.edu
eopen.microsoft.com scaccess.communityos.org www.dtic.mil www.sugarsync.com
erecruit.ilo.org schoolalerts.iowa.gov www.e-typedesign.co.uk www.telebank.ru
fjallfoss.fcc.gov seal.verisign.com www.employflorida.com www.theabfm.org
forge.betavine.net secure.grepular.com www.etde.org www.torproject.org
forum.defcon.org secure.in.gov www.fastlane.nsf.gov www.trustwave.com
forums.garmin.com secure.logmein.com www.fpds.gov www.uibenefits.dol.ks.gov
forums.nordrus.info secure.ncjoblinkmis.com www.fsd.gov www.urs.apply2jobs.com
forums.weather.com secure.skype.com www.geezeo.com www.vancity.com
garage.maemo.org secure.ssa.gov www.glgpartners.com www.virtualizationhero.net
germany.embassy.gov.au serviceguide.megafonnw.ru www.gtap.agecon.purdue.edu www.webmoney.kz
gn.eoil.ru serviceguide.megafonvolga.ru www.guardiananytime.com www.windowsupdate.com
golearn.csd.disa.mil shop.aafes.com www.habitat.org www.x.com
hostmaster.net.ua shop.maxim-ic.com www.healthspace.nhs.uk www.yahoo.com
https.openbsd.org signup.live.com www.hedgefundresearch.com www.yammer.com
imo.im slx.sun.com www.hibernate.org www134.americanexpress.com
incometaxindiaefiling.gov.in solvnet.synopsys.com www.hnfs.net www2.gotomeeting.com
iz.mersyss.ru spaces.internet2.edu www.hsdl.org z-payment.ru
javacc.dev.java.net ssl.bing.com www.huntington.com zeustracker.abuse.ch

=>Posted January 29, 2010, at 11:10 AM by Steven Adair