|By Lori MacVittie||
|March 24, 2010 12:00 PM EDT||
Options to put a stop to the latest mutation of the Pushdo trojan
The Pushdo bot is a malevolent little beast that is nothing new to Infosec professionals. What might be new, however, is that it recently changed its code and now creates junk SSL connections. Lots of them.
I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth. -- ShadowServer 01/29/2010
Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. (SecureWorks, Analysis of a Modern Malware Distribution System) That’s something you definitely don’t want to let loose inside your network, right? So the trick is to recognize its new behavior, somehow, and kick it in the derriere before it can do any real damage or consume resources or leave little bot droppings that might clog up the network pipes.
Luckily, Pushdo has a recognizable pattern: it sends malformed SSL HELLO requests after the TCP connection is established. This means we have several options for dealing with this new variant.
First, you could ignore it. That’s probably asking for trouble but it is an option. The target server will respond to the request with an error because the client hello portion of the SSL handshake is malformed. There’s very little danger in that, it’s expected behavior. However, there’s a distinct possibility that the pattern will change again, potentially by correcting the “malformed” hello so that it is valid and thus making a connection and delivering itself. Having been lulled into ignoring it, it might even succeed. Yes, it could be a social engineering attempt to make you complacent in preparation for a real attack. Miscreants are evil like that, you know, you just can’t trust them.
| The most aggressive pushdo infected hosts appear to establish a connection about once a minute. We identified about 10k host attacking www.sans.org. According to some reports, Pushdo will also just establish a TCP connection, and then just sit without actually sending the SSL Helo message.
– ISC SANS Diary
Because the new behavior of Pushdo now has it basically acting like a (fairly ineffective in most cases) DoS, it’s also not a good idea to let the requests get to the server because, well, that means the DoS is successful. If the server is busy responding to Pushdo requests it can’t respond to legitimate requests. In a public cloud computing environment, of course, the consequences can likely be counted in hard dollars as instances of applications may be launched or continue to remain active throughout the duration of the attack, even though second, third or more instances may not be required for availability at the time. For all the good things about elastic on-demand scalability, this one will continue to be a downside until security services are available that can detect and reject attacks at the “edge” of the cloud provider’s environment.
Second, you could terminate SSL connections on a capable Load balancer or application delivery controller. Most modern solutions of this ilk will recognize the malformed hello and refuse to accept them. This is not much different than the server responding with an error except that offloading the task of dealing with SSL and the miscreant traffic means the server can still respond easily to legitimate requests. If you have some other component terminating SSL, check if it’s capable of recognizing the malformed headers. If not, and you have a network-side scripting capable component downstream from it, you can always use the third option to intercept the requests, inspect them, and instruct the component to reject it if it contains malformed data.
|Think SSL DoS Not Dangerous?
Back in the days when I was still putting products to the test I often evaluated SSL-terminating solutions like appliances and specialized hardware on PCI cards. To test capacity we basically created the equivalent of a DoS attack.
In one test we generated enough load to fry the PCI slot on a Sun Sparc server. Fried electronics is not a pleasant smell, especially in a confined space. In another test, a now long defunct product would continually reboot itself when load reached a specific point, effectively disrupting service completely for all servers behind it.
Many SSL-terminating solutions require licensing for a specific TPS rate, and a DoS can easily surpass that rate. When SSL is handled by the servers themselves, the additional strain from processing high amounts of SSL can effectively reduce the ability of the server to handle other legitimate requests to zero, consuming all available resources in a relatively short period of time. Even if an SSL DoS won’t fry your circuitry, it can certainly be a Bad Thing for your applications and infrastructure and cause performance degradations and, if you’re in ‘the cloud’, possibly additional charges.
The third option is to put into place a filter or network-side script that examines the request and determines whether it is legitimate or not.
The fourth option is to put in place IDS/IPS (such as Snort) filters to handle the requests.
So you’ve got options, you just need to decide which one will best serve your needs. I, of course, heavily recommend any option that detects and rejects as close to the perimeter as possible so as to avoid needless resource consumption, but more important than that is simply stopping the attack.
SYS-CON Events announced today that Catchpoint, a global leader in monitoring, and testing the performance of online applications, has been named "Silver Sponsor" of DevOps Summit New York, which will take place on June 7-9, 2016 at the Javits Center in New York City. Catchpoint radically transforms the way businesses manage, monitor, and test the performance of online applications. Truly understand and improve user experience with clear visibility into complex, distributed online systems.Founde...
Dec. 1, 2015 12:15 PM EST
The annual holiday shopping season, which started on Thanksgiving weekend and runs through the end of December, is undoubtedly the most crucial time of the year for many eCommerce websites, with sales from this period having a dramatic effect on the year-end bottom line. Web performance – or, the overall speed and availability of a website or mobile site – is an issue year-round, but it takes on increased importance during the holidays. Ironically, it is at this time of year that networks and i...
Dec. 1, 2015 11:15 AM EST Reads: 163
Most of the IoT Gateway scenarios involve collecting data from machines/processing and pushing data upstream to cloud for further analytics. The gateway hardware varies from Raspberry Pi to Industrial PCs. The document states the process of allowing deploying polyglot data pipelining software with the clear notion of supporting immutability. In his session at @ThingsExpo, Shashank Jain, a development architect for SAP Labs, discussed the objective, which is to automate the IoT deployment proces...
Dec. 1, 2015 11:00 AM EST Reads: 138
Countless business models have spawned from the IaaS industry – resell Web hosting, blogs, public cloud, and on and on. With the overwhelming amount of tools available to us, it's sometimes easy to overlook that many of them are just new skins of resources we've had for a long time. In his general session at 17th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, an IBM Company, broke down what we have to work with, discussed the benefits and pitfalls and how we can best use them ...
Dec. 1, 2015 10:45 AM EST Reads: 129
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
Dec. 1, 2015 10:00 AM EST Reads: 577
It's been a busy time for tech's ongoing infatuation with containers. Amazon just announced EC2 Container Registry to simply container management. The new Azure container service taps into Microsoft's partnership with Docker and Mesosphere. You know when there's a standard for containers on the table there's money on the table, too. Everyone is talking containers because they reduce a ton of development-related challenges and make it much easier to move across production and testing environm...
Dec. 1, 2015 10:00 AM EST Reads: 658
DevOps is an organizational and cultural rethink of how software-driven organizations can become organizations at velocity – agile enough to innovate and fast enough to deal with any change that comes their way. Information technology is a central enabler of DevOps, but today’s better-faster-cheaper technology is not the whole story, as tools are only as good as the people wielding them. The more fundamental story here is the organizational and cultural transformation necessary to take full adv...
Dec. 1, 2015 10:00 AM EST
ThoughtWorks has issued the latest Technology Radar, an assessment of trends significantly impacting software development and business strategy. The Technology Radar sets out the current changes in software development - things in motion to pay attention to based upon ThoughtWorks' day-to-day work and experience solving their clients' toughest challenges. "With the threat landscape still evolving, our latest edition of Technology Radar continues to focus on security and innovative approaches,...
Dec. 1, 2015 09:45 AM EST
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem"...
Dec. 1, 2015 09:00 AM EST Reads: 481
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound...
Dec. 1, 2015 06:30 AM EST Reads: 515
As organizations shift towards IT-as-a-service models, the need for managing & protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection & E-Discovery of your data - whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise.
Dec. 1, 2015 06:00 AM EST Reads: 273
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, San...
Dec. 1, 2015 05:00 AM EST Reads: 622
PubNub has announced the release of BLOCKS, a set of customizable microservices that give developers a simple way to add code and deploy features for realtime apps.PubNub BLOCKS executes business logic directly on the data streaming through PubNub’s network without splitting it off to an intermediary server controlled by the customer. This revolutionary approach streamlines app development, reduces endpoint-to-endpoint latency, and allows apps to better leverage the enormous scalability of PubNu...
Dec. 1, 2015 05:00 AM EST Reads: 360
In today's enterprise, digital transformation represents organizational change even more so than technology change, as customer preferences and behavior drive end-to-end transformation across lines of business as well as IT. To capitalize on the ubiquitous disruption driving this transformation, companies must be able to innovate at an increasingly rapid pace. Traditional approaches for driving innovation are now woefully inadequate for keeping up with the breadth of disruption and change facin...
Dec. 1, 2015 03:30 AM EST Reads: 533
I recently attended and was a speaker at the 4th International Internet of @ThingsExpo at the Santa Clara Convention Center. I also had the opportunity to attend this event last year and I wrote a blog from that show talking about how the “Enterprise Impact of IoT” was a key theme of last year’s show. I was curious to see if the same theme would still resonate 365 days later and what, if any, changes I would see in the content presented.
Dec. 1, 2015 03:00 AM EST Reads: 470
You may have heard about the pets vs. cattle discussion – a reference to the way application servers are deployed in the cloud native world. If an application server goes down it can simply be dropped from the mix and a new server added in its place. The practice so far has mostly been applied to application deployments. Management software on the other hand is treated in a very special manner. Dedicated resources are set aside to run the management software components and several alerting syst...
Dec. 1, 2015 02:00 AM EST Reads: 254
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...
Dec. 1, 2015 01:00 AM EST Reads: 437
Naturally, new and exciting technologies and trends like software defined networking, the Internet of Things and the cloud tend to get the lion’s share of attention these days, including when it comes to security. However, it’s important to never forget that at the center of it all is still the enterprise network. And as evidenced by the ever-expanding landslide of data breaches that could have been prevented or at least their impact lessened by better practicing network security basics, it’s ...
Dec. 1, 2015 12:45 AM EST Reads: 301
Put the word continuous in front of many things and we help define DevOps: continuous delivery, continuous testing, continuous assessment, and there is more. The next BriefingsDirect DevOps thought leadership discussion explores the concept of continuous processes around the development and deployment of applications and systems. Put the word continuous in front of many things and we help define DevOps: continuous delivery, continuous testing, continuous assessment, and there is more.
Dec. 1, 2015 12:30 AM EST Reads: 195
This morning on #c9d9 we spoke with two industry veterans and published authors - James DeLuccia and Jonathan McAllister - on how to bake-in security and compliance into your DevOps processes, and how DevOps and automation can essentially help you pass your next audit.
Dec. 1, 2015 12:30 AM EST Reads: 122