« April 2010 · October 2010 »
|
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- 15.08.2010: Spam using RU domains - Who's your nameserver?
- 13.08.2010: Binary Whitelisting Service
- 02.08.2010: Of Opinions and Anti-Virus Testing
- 05.07.2010: Lies, Damn Lies, and Botnet Size
- 09.06.2010: Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
Friday, 29 January 2010
Pushdo DDoS'ing or Blending In?
Is your site on the list we have posted here or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth.
What's going on here? Well it seems the Pushdo botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites. Special thanks to Joe Stewart from SecureWorks for pointing this out earlier in the week when some of us were scratching our heads. Our friends over at ZeuS tracker noticed a big uptick in port 443 traffic to their website early this week. They thought they were being DDoS'd. Technically they are being attacked, although knocking the sites offline doesn't seem to be the goal. The bots seem to start to initiate an SSL connection and a bit of junk to the websites and then disconnect. They do not actually request an resources from the website or do anything else other than repeat the cycle periodically. They are doing this to hundreds of sites all day long. We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn't quite look like a DDoS either.
ZeuS tracker tells us they have counted multiple hundreds of thousands of unique IPs hitting their site in just over a 24 hour period. This is a lot of bots generating a lot of traffic. Check the list below or the link above to see if you too are a lucky recipient of this traffic.
To give you an idea of how quickly these the botnet looks up these sites, we've posted a Wireshark screen shot below.
A Solution to the Problem?
Unfortunately for the hostnames below, changing your IP address might be a short temporary reprieve from some of the bots that have the old IP cached. However, they will eventually find your site again as they are actual DNS entries and not in there by IP address. If you operate one of the IP addresses in the list, you could likely change IPs to head off this issue since they are not using a hostname in these cases. If someone has good way to mitigate these attacks that we can post, please feel free to send us an e-mail and we will post it up for others.
Site List that Pushdo is Attacking/Sending Traffic To
The table below is a list of all of the sites for which Pushdo has been making or attempting to make SSL connections. This might help explain a large uptick in traffic for many. If not then you might want to take a closer look.
| 1 | 2 | 3 | 4 |
| 141.146.8.193 | labs.ericsson.com | sso.state.mi.us | www.icsalabs.com |
| 142.205.233.80 | launchpad.net | stat.komet.ru | www.imcworldwide.org |
| 170.148.0.77 | lg3d-core.dev.java.net | stat.profintel.ru | www.indianacareerconnect.com |
| 198.64.146.50 | light.webmoney.ru | store.gearboxsoftware.com | www.inhope.org |
| 204.99.16.145 | liqpay.com | store.omnigroup.com | www.insight.com |
| 212.118.48.21 | live.xbox.com | support.msn.com | www.intwayfunds.com |
| 212.158.173.149 | login.postini.com | testpilot.mozillalabs.com | www.intwaypassport.com |
| 216.139.227.91 | mail.internet2.edu | thepiratebay.org | www.ippc.int |
| 216.49.88.20 | mail.riseup.net | tickets.landmarktheatres.com | www.it-isac.org |
| 216.9.245.101 | mappoint-css.live.com | tips.fbi.gov | www.jieddo.dod.mil |
| 217.12.97.63 | mashedlife.com | tms.symantec.com | www.kaiserpermanente.org |
| 217.65.2.187 | mcp.microsoft.com | toefl-registration.ets.org | www.key.com |
| 63.245.209.120 | mfi-assets.ecb.int | torstat.xenobite.eu | www.last.fm |
| 64.191.3.70 | microsoft.embeddedoem.com | trac.cakephp.org | www.mail.yale.edu |
| 64.233.183.63 | money.yandex.ru | twitter.com | www.manpower.usmc.mil |
| 64.38.232.180 | mozillalabs.com | ucclaim-wi.org | www.medicalcountermeasures.gov |
| 66.179.111.12 | mozy.com | uce.ieee.org | www.mesh.com |
| 75.126.159.19 | mwe.dllr.state.md.us | ugsp.nih.gov | www.microplace.com |
| 80.69.146.12 | my.ispsystem.com | unp.un.org | www.microsoft.com.nsatc.net |
| 82.198.171.192 | my.pair.com | us.etrade.com | www.microsoftfinancing.com |
| 84.19.191.55 | my.pbworks.com | vacancies.gns.cri.nz | www.mobi-money.ru |
| 86.59.21.36 | my.t-mobile.com | webcenter.applyyourself.com | www.mochimedia.com |
| 87.106.254.245 | my.usda.gov | webgis.usc.edu | www.moneymail.ru |
| abonent.udm.vt.ru | mya.godaddy.com | wfis.wellsfargo.com | www.myfloridalicense.com |
| acc.dau.mil | myaccount.ddo.com | wiki.ubuntu.com | www.mylookout.com |
| accesstraining.dest.gov.au | mygrantinfo.csac.ca.gov | wist.echo.nasa.gov | www.mymeetings.com |
| acemanager.bnpparibas.com | myrewardzone.bestbuy.com | wm.exchanger.ru | www.myresearchproject.org.uk |
| adcenter.looksmart.com | mytax.iras.gov.sg | www-1.redhatmagazine.com | www.ncoic.org |
| addons.mozilla.org | nafpay.afsv.net | www.23andme.com | www.nebraska.gov |
| admin.acrobat.com | netbenefits.fidelity.com | www.24hraccess.com | www.noridianmedicare.com |
| admin.fedoraproject.org | nhworksjobmatch.nhes.nh.gov | www.accountonline.com | www.notams.jcs.mil |
| affiliate-program.amazon.com | ns.iana.org | www.activeu.org | www.npdb-hipdb.hrsa.gov |
| app01.usatogether.org | oh.train.org | www.annualcreditreport.com | www.nysdot.gov |
| bank.eximb.com | one.ubuntu.com | www.arizonavirtualonestop.com | www.openeco.org |
| bespin.mozilla.com | online.kitco.com | www.artemisia-association.org | www.optoutprescreen.com |
| billing.kpi.ua | open.umich.edu | www.arvest.com | www.or-medicaid.gov |
| blog.startcom.org | openid.net | www.avuecentral.com | www.paypal-marketing.co.uk |
| blogs.apache.org | oscar.symplicity.com | www.aw2.army.mil | www.paypal-shopping.com |
| book.malaysiaairlines.com | partner.microsoft.com | www.badgeguys.com | www.paypal.com |
| bookstore.transportation.org | passport.webmoney.ru | www.bankofky.com | www.peoples.com |
| bsd.officedepot.com | pay.spacegate.bz | www.beartracks.ualberta.ca | www.pmf.opm.gov |
| bugs.webkit.org | personal.vanguard.com | www.bluetooth.org | www.racf.bnl.gov |
| cabig.nci.nih.gov | player.helixcommunity.org | www.bmoinvestorline.com | www.redhat.com |
| cc.readytalk.com | portal.accaglobal.com | www.bpn.gov | www.regnow.com |
| chrome.google.com | portal.bccampus.ca | www.bwin.com | www.researchgate.net |
| co.clickandpledge.com | portal.gs.com | www.capitaller.ru | www.revisor.mn.gov |
| connect.microsoft.com | privat24.privatbank.ua | www.caro.net | www.rhce.ca |
| cpdsearch.tda.gov.uk | products.appliedbiosystems.com | www.cci-icc.gc.ca | www.rkb.us |
| data.nasdaq.com | profile.ea.com | www.cdproject.net | www.sans.org |
| depot.info.apple.com | qolps.qub.ac.uk | www.chase.com | www.sbrf.ru |
| destroytwitter.com | reach-it.echa.europa.eu | www.cia.gov | www.securityguidance.com |
| developer.mozilla.org | recruit.ap.uci.edu | www.commonapp.org | www.sedex.org.uk |
| dod-emall.dla.mil | research.venterinstitute.org | www.copilot.com | www.seringas.caissedesdepots.fr |
| donate.doctorswithoutborders.org | review.ieice.org | www.cresis.ku.edu | www.shakeweight.com |
| donate.pih.org | rita.nrf.gov.sg | www.cu.edu | www.shareholder.ru |
| donotcontact.utah.gov | riweb.rotaryintl.org | www.directvote.net | www.sitelutions.com |
| dragon.pop.indiana.edu | rr-n1-tor.opensrs.net | www.donate.bt.com | www.snapnames.com |
| e-gap.royalsociety.org | rsr-olymp.ru | www.donhr.navy.mil | www.spdrs.com |
| ebidmarketplace.com | sa.www4.irs.gov | www.dreamspark.com | www.studentloan.com |
| eduforge.org | sailearningconnection.skillport.com | www.dropbox.com | www.studyabroad.uiuc.edu |
| eopen.microsoft.com | scaccess.communityos.org | www.dtic.mil | www.sugarsync.com |
| erecruit.ilo.org | schoolalerts.iowa.gov | www.e-typedesign.co.uk | www.telebank.ru |
| fjallfoss.fcc.gov | seal.verisign.com | www.employflorida.com | www.theabfm.org |
| forge.betavine.net | secure.grepular.com | www.etde.org | www.torproject.org |
| forum.defcon.org | secure.in.gov | www.fastlane.nsf.gov | www.trustwave.com |
| forums.garmin.com | secure.logmein.com | www.fpds.gov | www.uibenefits.dol.ks.gov |
| forums.nordrus.info | secure.ncjoblinkmis.com | www.fsd.gov | www.urs.apply2jobs.com |
| forums.weather.com | secure.skype.com | www.geezeo.com | www.vancity.com |
| garage.maemo.org | secure.ssa.gov | www.glgpartners.com | www.virtualizationhero.net |
| germany.embassy.gov.au | serviceguide.megafonnw.ru | www.gtap.agecon.purdue.edu | www.webmoney.kz |
| gn.eoil.ru | serviceguide.megafonvolga.ru | www.guardiananytime.com | www.windowsupdate.com |
| golearn.csd.disa.mil | shop.aafes.com | www.habitat.org | www.x.com |
| hostmaster.net.ua | shop.maxim-ic.com | www.healthspace.nhs.uk | www.yahoo.com |
| https.openbsd.org | signup.live.com | www.hedgefundresearch.com | www.yammer.com |
| imo.im | slx.sun.com | www.hibernate.org | www134.americanexpress.com |
| incometaxindiaefiling.gov.in | solvnet.synopsys.com | www.hnfs.net | www2.gotomeeting.com |
| iz.mersyss.ru | spaces.internet2.edu | www.hsdl.org | z-payment.ru |
| javacc.dev.java.net | ssl.bing.com | www.huntington.com | zeustracker.abuse.ch |
=>Posted January 29, 2010, at 11:10 AM by Steven Adair
