The Hand of Pushdo behind CIA, PayPal SSL assault
By debashis, Gaea News NetworkMonday, February 1, 2010
Across the World-Wide Web, many websites are noticing a massive uptick in SSL connections to themselves over the past week or so. Increase in traffic has seen an unexpected rise in the order of several million hits spread out across several hundred thousand IP addresses. The Central Intelligence Agency, PayPal, and hundreds of other organizations are under this assault. In addition to cia.gov and paypal.com, other sites include yahoo.com, americanexpress.com, and sans.org. According to researchers at Shadowserver Foundation, a volunteer security collective, the “massive” flood of requests is made over the websites’ SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections.
The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo. It’s not clear why Pushdo has unleashed the torrent. It seems the Pushdo botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites. Infected PCs appear to initiate the SSL connections, along with a bit of junk, disconnect and then repeat the cycle. They don’t request any resources from the website or do anything else. Joe Stewart from SecureWorks had pointed this out earlier in the week when most others were thinking otherwise. To check whether your site is also facing the same problem , click on the link provided by shadowserver.
Now let us discuss about the solutions to counter the assault. Changing the IP address for the hostnames might be a short temporary reprieve from some of the bots that have the old IP cached. Unfortunately, this is a temporary remedy, as they will eventually find your site again as they are actual DNS entries and not in there by IP address. Security analysts around the world are trying their level-best to mitigate this problem at the earliest and let us hope for that.