Information Security Blog

http://news.zdnet.co.uk/security/0,1000000189,40018127,00.htm

Elinor Mills CNET News
Published: 02 Feb 2010 09:31 GMT

In an attempt to hide the location of its command-and-control server, the Pushdo botnet has been instructing its infected zombie computers to send fake SSL connections to major websites, a botnet expert said on Monday.

The strange traffic targeting the websites — including sites for the CIA, FBI, PayPal, Yahoo and Twitter, according to a list at the Shadow Server Foundation — was not enough to cause any outages or slowdowns, said Joe Stewart, director of malware research at SecureWorks.

Site owners “would just see weird connections that don’t seem to make sense,” he said. “They look like they’re trying to start an SSL [Secure Sockets Layer] handshake, but it comes in malformed and doesn’t ever send anything after that first handshake attempt.”