|By Lori MacVittie||
|March 24, 2010 12:00 PM EDT||
Options to put a stop to the latest mutation of the Pushdo trojan
The Pushdo bot is a malevolent little beast that is nothing new to Infosec professionals. What might be new, however, is that it recently changed its code and now creates junk SSL connections. Lots of them.
I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth. -- ShadowServer 01/29/2010
Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. (SecureWorks, Analysis of a Modern Malware Distribution System) That’s something you definitely don’t want to let loose inside your network, right? So the trick is to recognize its new behavior, somehow, and kick it in the derriere before it can do any real damage or consume resources or leave little bot droppings that might clog up the network pipes.
Luckily, Pushdo has a recognizable pattern: it sends malformed SSL HELLO requests after the TCP connection is established. This means we have several options for dealing with this new variant.
First, you could ignore it. That’s probably asking for trouble but it is an option. The target server will respond to the request with an error because the client hello portion of the SSL handshake is malformed. There’s very little danger in that, it’s expected behavior. However, there’s a distinct possibility that the pattern will change again, potentially by correcting the “malformed” hello so that it is valid and thus making a connection and delivering itself. Having been lulled into ignoring it, it might even succeed. Yes, it could be a social engineering attempt to make you complacent in preparation for a real attack. Miscreants are evil like that, you know, you just can’t trust them.
| The most aggressive pushdo infected hosts appear to establish a connection about once a minute. We identified about 10k host attacking www.sans.org. According to some reports, Pushdo will also just establish a TCP connection, and then just sit without actually sending the SSL Helo message.
– ISC SANS Diary
Because the new behavior of Pushdo now has it basically acting like a (fairly ineffective in most cases) DoS, it’s also not a good idea to let the requests get to the server because, well, that means the DoS is successful. If the server is busy responding to Pushdo requests it can’t respond to legitimate requests. In a public cloud computing environment, of course, the consequences can likely be counted in hard dollars as instances of applications may be launched or continue to remain active throughout the duration of the attack, even though second, third or more instances may not be required for availability at the time. For all the good things about elastic on-demand scalability, this one will continue to be a downside until security services are available that can detect and reject attacks at the “edge” of the cloud provider’s environment.
Second, you could terminate SSL connections on a capable Load balancer or application delivery controller. Most modern solutions of this ilk will recognize the malformed hello and refuse to accept them. This is not much different than the server responding with an error except that offloading the task of dealing with SSL and the miscreant traffic means the server can still respond easily to legitimate requests. If you have some other component terminating SSL, check if it’s capable of recognizing the malformed headers. If not, and you have a network-side scripting capable component downstream from it, you can always use the third option to intercept the requests, inspect them, and instruct the component to reject it if it contains malformed data.
|Think SSL DoS Not Dangerous?
Back in the days when I was still putting products to the test I often evaluated SSL-terminating solutions like appliances and specialized hardware on PCI cards. To test capacity we basically created the equivalent of a DoS attack.
In one test we generated enough load to fry the PCI slot on a Sun Sparc server. Fried electronics is not a pleasant smell, especially in a confined space. In another test, a now long defunct product would continually reboot itself when load reached a specific point, effectively disrupting service completely for all servers behind it.
Many SSL-terminating solutions require licensing for a specific TPS rate, and a DoS can easily surpass that rate. When SSL is handled by the servers themselves, the additional strain from processing high amounts of SSL can effectively reduce the ability of the server to handle other legitimate requests to zero, consuming all available resources in a relatively short period of time. Even if an SSL DoS won’t fry your circuitry, it can certainly be a Bad Thing for your applications and infrastructure and cause performance degradations and, if you’re in ‘the cloud’, possibly additional charges.
The third option is to put into place a filter or network-side script that examines the request and determines whether it is legitimate or not.
The fourth option is to put in place IDS/IPS (such as Snort) filters to handle the requests.
So you’ve got options, you just need to decide which one will best serve your needs. I, of course, heavily recommend any option that detects and rejects as close to the perimeter as possible so as to avoid needless resource consumption, but more important than that is simply stopping the attack.
- [slides] #DevOps and Immutable Infrastructure | @CloudExpo @Botchagalupe
- [session] Composable Infrastructure | @CloudExpo @HTBase @Azure #AWS
- Partners @Interoute and @Rancher_Labs | @CloudExpo #DevOps #Serverless
- [session] Composable Infrastructure | @CloudExpo @HTBase #SDN #DataCenter
- An #AI-Defined World | @CloudExpo @ReneBuest #AiDI #ArtificialIntelligence
- The Top 150 Players in Cloud Computing
- i-Technology Predictions for 2007: Where's It All Headed?
- The Top 250 Players in the Cloud Computing Ecosystem
- The Future of Cloud Computing
- Cloud Expo New York Call for Papers Now Open
- The Five Characteristics of Cloud Computing
- The Next Chapter in the Virtualization Story Begins
- CIA was Headed to an Enterprise Cloud All Along: Jill Tummler Singer
- Deputy CIO of the CIA to Keynote 1st Annual GovIT Expo
- Are Enterprises Ready for Cloud Computing?