|By Lori MacVittie||
|March 24, 2010 12:00 PM EDT||
Options to put a stop to the latest mutation of the Pushdo trojan
The Pushdo bot is a malevolent little beast that is nothing new to Infosec professionals. What might be new, however, is that it recently changed its code and now creates junk SSL connections. Lots of them.
I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth. -- ShadowServer 01/29/2010
Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. (SecureWorks, Analysis of a Modern Malware Distribution System) That’s something you definitely don’t want to let loose inside your network, right? So the trick is to recognize its new behavior, somehow, and kick it in the derriere before it can do any real damage or consume resources or leave little bot droppings that might clog up the network pipes.
Luckily, Pushdo has a recognizable pattern: it sends malformed SSL HELLO requests after the TCP connection is established. This means we have several options for dealing with this new variant.
First, you could ignore it. That’s probably asking for trouble but it is an option. The target server will respond to the request with an error because the client hello portion of the SSL handshake is malformed. There’s very little danger in that, it’s expected behavior. However, there’s a distinct possibility that the pattern will change again, potentially by correcting the “malformed” hello so that it is valid and thus making a connection and delivering itself. Having been lulled into ignoring it, it might even succeed. Yes, it could be a social engineering attempt to make you complacent in preparation for a real attack. Miscreants are evil like that, you know, you just can’t trust them.
| The most aggressive pushdo infected hosts appear to establish a connection about once a minute. We identified about 10k host attacking www.sans.org. According to some reports, Pushdo will also just establish a TCP connection, and then just sit without actually sending the SSL Helo message.
– ISC SANS Diary
Because the new behavior of Pushdo now has it basically acting like a (fairly ineffective in most cases) DoS, it’s also not a good idea to let the requests get to the server because, well, that means the DoS is successful. If the server is busy responding to Pushdo requests it can’t respond to legitimate requests. In a public cloud computing environment, of course, the consequences can likely be counted in hard dollars as instances of applications may be launched or continue to remain active throughout the duration of the attack, even though second, third or more instances may not be required for availability at the time. For all the good things about elastic on-demand scalability, this one will continue to be a downside until security services are available that can detect and reject attacks at the “edge” of the cloud provider’s environment.
Second, you could terminate SSL connections on a capable Load balancer or application delivery controller. Most modern solutions of this ilk will recognize the malformed hello and refuse to accept them. This is not much different than the server responding with an error except that offloading the task of dealing with SSL and the miscreant traffic means the server can still respond easily to legitimate requests. If you have some other component terminating SSL, check if it’s capable of recognizing the malformed headers. If not, and you have a network-side scripting capable component downstream from it, you can always use the third option to intercept the requests, inspect them, and instruct the component to reject it if it contains malformed data.
|Think SSL DoS Not Dangerous?
Back in the days when I was still putting products to the test I often evaluated SSL-terminating solutions like appliances and specialized hardware on PCI cards. To test capacity we basically created the equivalent of a DoS attack.
In one test we generated enough load to fry the PCI slot on a Sun Sparc server. Fried electronics is not a pleasant smell, especially in a confined space. In another test, a now long defunct product would continually reboot itself when load reached a specific point, effectively disrupting service completely for all servers behind it.
Many SSL-terminating solutions require licensing for a specific TPS rate, and a DoS can easily surpass that rate. When SSL is handled by the servers themselves, the additional strain from processing high amounts of SSL can effectively reduce the ability of the server to handle other legitimate requests to zero, consuming all available resources in a relatively short period of time. Even if an SSL DoS won’t fry your circuitry, it can certainly be a Bad Thing for your applications and infrastructure and cause performance degradations and, if you’re in ‘the cloud’, possibly additional charges.
The third option is to put into place a filter or network-side script that examines the request and determines whether it is legitimate or not.
The fourth option is to put in place IDS/IPS (such as Snort) filters to handle the requests.
So you’ve got options, you just need to decide which one will best serve your needs. I, of course, heavily recommend any option that detects and rejects as close to the perimeter as possible so as to avoid needless resource consumption, but more important than that is simply stopping the attack.
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
Mar. 28, 2017 03:00 PM EDT Reads: 2,063
"delaPlex is a software development company. We do team-based outsourcing development," explained Mark Rivers, COO and Co-founder of delaPlex Software, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Mar. 28, 2017 03:00 PM EDT Reads: 9,586
SYS-CON Events announced today that Technologic Systems Inc., an embedded systems solutions company, will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Technologic Systems is an embedded systems company with headquarters in Fountain Hills, Arizona. They have been in business for 32 years, helping more than 8,000 OEM customers and building over a hundred COTS products that have never been discontinued. Technologic Systems’ pr...
Mar. 28, 2017 02:15 PM EDT Reads: 3,620
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
Mar. 28, 2017 02:15 PM EDT Reads: 2,160
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
Mar. 28, 2017 02:00 PM EDT Reads: 14,233
SYS-CON Events announced today that Auditwerx will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Auditwerx specializes in SOC 1, SOC 2, and SOC 3 attestation services throughout the U.S. and Canada. As a division of Carr, Riggs & Ingram (CRI), one of the top 20 largest CPA firms nationally, you can expect the resources, skills, and experience of a much larger firm combined with the accessibility and atten...
Mar. 28, 2017 01:31 PM EDT Reads: 174
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
Mar. 28, 2017 01:15 PM EDT Reads: 1,594
What if you could build a web application that could support true web-scale traffic without having to ever provision or manage a single server? Sounds magical, and it is! In his session at 20th Cloud Expo, Chris Munns, Senior Developer Advocate for Serverless Applications at Amazon Web Services, will show how to build a serverless website that scales automatically using services like AWS Lambda, Amazon API Gateway, and Amazon S3. We will review several frameworks that can help you build serverle...
Mar. 28, 2017 01:15 PM EDT Reads: 2,178
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
Mar. 28, 2017 12:45 PM EDT Reads: 3,115
SYS-CON Events announced today that Cloud Academy will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud computing technologies. Ge...
Mar. 28, 2017 11:30 AM EDT Reads: 4,668
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
Mar. 28, 2017 11:30 AM EDT Reads: 2,468
MongoDB Atlas leverages VPC peering for AWS, a service that allows multiple VPC networks to interact. This includes VPCs that belong to other AWS account holders. By performing cross account VPC peering, users ensure networks that host and communicate their data are secure. In his session at 20th Cloud Expo, Jay Gordon, a Developer Advocate at MongoDB, will explain how to properly architect your VPC using existing AWS tools and then peer with your MongoDB Atlas cluster. He'll discuss the secur...
Mar. 28, 2017 11:22 AM EDT Reads: 307
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buyers...
Mar. 28, 2017 11:00 AM EDT Reads: 3,698
[session] Composable Infrastructure and Multi-Cloud By @HTBase | @CloudExpo #API #Cloud #Storage #DataCenter
Imagine having the ability to leverage all of your current technology and to be able to compose it into one resource pool. Now imagine, as your business grows, not having to deploy a complete new appliance to scale your infrastructure. Also imagine a true multi-cloud capability that allows live migration without any modification between cloud environments regardless of whether that cloud is your private cloud or your public AWS, Azure or Google instance. Now think of a world that is not locked i...
Mar. 28, 2017 10:54 AM EDT Reads: 291
SYS-CON Events announced today that Infranics will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Since 2000, Infranics has developed SysMaster Suite, which is required for the stable and efficient management of ICT infrastructure. The ICT management solution developed and provided by Infranics continues to add intelligence to the ICT infrastructure through the IMC (Infra Management Cycle) based on mathemat...
Mar. 28, 2017 10:45 AM EDT Reads: 3,289
[session] Offshore Development: How Not to Screw It Up | @CloudExpo @MobiDev_ #Cloud #DigitalTransformation
In his session at Cloud Expo, Alan Winters, an entertainment executive/TV producer turned serial entrepreneur, will present a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to m...
Mar. 28, 2017 10:21 AM EDT Reads: 274
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
Mar. 28, 2017 10:15 AM EDT Reads: 1,551
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
Mar. 28, 2017 10:00 AM EDT Reads: 1,536
SYS-CON Events announced today that SD Times | BZ Media has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. BZ Media LLC is a high-tech media company that produces technical conferences and expositions, and publishes a magazine, newsletters and websites in the software development, SharePoint, mobile development and commercial UAV markets.
Mar. 28, 2017 09:45 AM EDT Reads: 4,438
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
Mar. 28, 2017 09:45 AM EDT Reads: 2,241