DRG Pushdo Research, Analysis and Mitigation

Pushdo trojan infected hosts were updated in early 2010 to initiate a steady stream of SSL connections to dozens of stable and well known websites. The SSL sessions do not request any valid web content and quickly abort each session. Initial investigations by others has detailed the profile of these so-called "junk" SSL sessions. The traffic increase to websites as a result of the updated trojan does not appear to be significantly affecting most sites, but has been noticed by many of the targeted website operators and the activity has been covered by the media. DRG has been making a concerted effort to study and analyze this change in behavior as well as help make available infection data to qualified third parties for remediation purposes. DRG research, analysis and references regarding Pushdo are shown below. General inquiries are welcome. Send email to dragon@dragonresearchgroup.org.

• Pushdo Distribution - An initial analysis on the distribution of pushdo infected hosts. March 1, 2010.

References

1. Pushdo - Analysis of a Modern Malware Distribution System, Joe Stewart, Secureworks, December 17, 2007. html.
2. Pushdo / Cutwail Botnet - A study of the Pushdo / Cutwail Botnet, Alice Decker, David Sancho, Loucif Kharouni, Max Goncharov, Robert McArdie, Trend Micro, May 22, 2009, pdf.
3. Pushdo DDoS'ing or Blending In?, Steven Adair, Shadowserver Foundation, January 29, 2010, html.
4. Cutwail's Poorly Written Code Leads to Heavy SSL Traffic, February 6, 2010, html.
5. Team Cymru YouTube Episode 40: Pushdo, Interview with David Dobrotka, March 1, 2010, html.
6. Don't Pushdo - The Year of the Dragon (Research Group), Jeff Bardin, CSO Online, html.