Botnet sends fake SSL pings to CIA, PayPal, others

The Pushdo botnet is trying to evade detection by using fake SSL connections to major Web sites, researcher says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
Joe Stewart of SecureWorks at Black Hat Las Vegas 2008 Robert Vamosi / CNET

In attempt to hide the location of its command-and-control server, the Pushdo botnet has been instructing its infected zombie computers to send fake SSL (Secure Sockets Layer) connections to major Web sites, a botnet expert said on Monday.

The strange traffic targeting the Web sites--including sites for the CIA, FBI, PayPal, Yahoo, and Twitter, according to a list at the Shadow Server Foundation--was not enough to cause any outages or slowdowns, said Joe Stewart, director of malware research at SecureWorks.

Site owners "would just see weird connections that don't seem to make sense," he said. "They look like they're trying to start an SSL handshake, but it comes in malformed and doesn't ever send anything after that first handshake attempt."

SSL is a protocol used to encrypt communications between computers for things like e-commerce and online banking.

Basically, Pushdo is using a fake SSL header in the communications sent from the infected zombies to its own command and control server, according to Stewart. "It's trying to hide itself a bit better...to make it appear on a casual inspection that it might be SSL traffic," he said.

In addition, sending a flurry of connections to legitimate Web sites could be designed to make sure the command and control server doesn't stand out, he said.

Pushdo downloads different Trojans onto infected machines and has been used to send spam as part of the Cutwail spambot, according to Stewart. It is comprised of about 300,000 infected PCs and the operators, believed to be located in Eastern Europe, are leasing out its usage to criminals, he said.

"It's a typical pay-per-install system," used to distribute banking Trojans, password stealers, ad clickers, and search hijackers, Stewart said.