A spamming botnet known for keeping a low profile has been hammering hundreds of Websites — including the CIA, Chase, Mozilla Labs, Twitter, SANS, Google Chrome, and the FBI — during the past week with an unusually conspicuous amount of phony traffic that has researchers rushing to analyze its next move.
The Pushdo botnet, a.k.a. "Cutwail" and "Pandex," has been flooding those sites with bogus SSL connections that stop short of requesting anything from the Website. The infected bots begin to initiate an SSL connection with some "junk" traffic and then disconnect, according to The Shadowserver Foundation. Shadowserver and other researchers have been monitoring the activity, which increased traffic by several million hits across several hundred thousand IP addresses, according to Shadowserver.
The botnet hit the ZeusTracker Website, for example, with hundreds of thousands of different IP addresses within a 24-hour period. "This is a lot of bots generating a lot of traffic," blogged Steven Adair, a researcher with Shadowserver. Recent code changes to Pushdo resulted in its bots generating the "junk" SSL connections to the 315 Websites, he said.
So what is Pushdo up to? Joe Stewart, director of malware research for Secureworks, says the botnet is making fake SSL connection attempts: Malformed packets cause the server to return an SSL negotiation error. "By adding the initial header of an SSL conversation, they may be attempting to avoid closer scrutiny by less vigilant inspection devices," Stewart says. "And by sending a flurry of these connections to a number of legit ‘decoy’ sites, it helps the Pushdo C&C [command and control] traffic blend in and remain undetected in some cases," he says.