CIA, PayPal, Hundreds Of Other Websites Under Unexplained SSL Assault
The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that’s bombarding their websites with millions of compute-intensive requests.
The “massive” flood of requests is made over the websites’ SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo.
“What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses,” Shadowserver’ Steven Adair wrote. “This might be a big deal if you’re used to only getting a few hundred or thousands of hits a day or you don’t have unlimited bandwidth.”
It’s not clear why Pushdo has unleashed the torrent. Infected PCs appear to initiate the SSL connections, along with a bit of junk, disconnect and then repeat the cycle. They don’t request any resources from the website or do anything else.
“We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn’t quite look like a DDoS either,” Adair wrote.
Security mavens aren’t sure what targeted sites can do to thwart the attacks. Changing IP addresses may provide a temporary reprieve.
Shadowserver has identified 315 websites that are the recipients of the SSL assault. In addition to cia.gov and paypal.com, other sites include yahoo.com, americanexpress.com, and sans.org. Here is the full list of attacked addresses:
141.146.8.193
142.205.233.80
170.148.0.77
198.64.146.50
204.99.16.145
212.118.48.21
212.158.173.149
216.139.227.91
216.49.88.20
216.9.245.101
217.12.97.63
217.65.2.187
63.245.209.120
64.191.3.70
64.233.183.63
64.38.232.180
66.179.111.12
75.126.159.19
80.69.146.12
82.198.171.192
84.19.191.55
86.59.21.36
87.106.254.245
abonent.udm.vt.ru
acc.dau.mil
accesstraining.dest.gov.au
acemanager.bnpparibas.com
adcenter.looksmart.com
addons.mozilla.org
admin.acrobat.com
admin.fedoraproject.org
affiliate-program.amazon.com
app01.usatogether.org
bank.eximb.com
bespin.mozilla.com
billing.kpi.ua
blog.startcom.org
blogs.apache.org
book.malaysiaairlines.com
bookstore.transportation.org
bsd.officedepot.com
bugs.webkit.org
cabig.nci.nih.gov
cc.readytalk.com
chrome.google.com
co.clickandpledge.com
connect.microsoft.com
cpdsearch.tda.gov.uk
data.nasdaq.com
depot.info.apple.com
destroytwitter.com
developer.mozilla.org
dod-emall.dla.mil
donate.doctorswithoutborders.org
donate.pih.org
donotcontact.utah.gov
dragon.pop.indiana.edu
e-gap.royalsociety.org
ebidmarketplace.com
eduforge.org
eopen.microsoft.com
erecruit.ilo.org
fjallfoss.fcc.gov
forge.betavine.net
forum.defcon.org
forums.garmin.com
forums.nordrus.info
forums.weather.com
garage.maemo.org
germany.embassy.gov.au
gn.eoil.ru
golearn.csd.disa.mil
hostmaster.net.ua
https.openbsd.org
imo.im
incometaxindiaefiling.gov.in
iz.mersyss.ru
javacc.dev.java.net
labs.ericsson.com
launchpad.net
lg3d-core.dev.java.net
light.webmoney.ru
liqpay.com
live.xbox.com
login.postini.com
mail.internet2.edu
mail.riseup.net
mappoint-css.live.com
mashedlife.com
mcp.microsoft.com
mfi-assets.ecb.int
microsoft.embeddedoem.com
money.yandex.ru
mozillalabs.com
mozy.com
mwe.dllr.state.md.us
my.ispsystem.com
my.pair.com
my.pbworks.com
my.t-mobile.com
my.usda.gov
mya.godaddy.com
myaccount.ddo.com
mygrantinfo.csac.ca.gov
myrewardzone.bestbuy.com
mytax.iras.gov.sg
nafpay.afsv.net
netbenefits.fidelity.com
nhworksjobmatch.nhes.nh.gov
ns.iana.org
oh.train.org
one.ubuntu.com
online.kitco.com
open.umich.edu
openid.net
oscar.symplicity.com
partner.microsoft.com
passport.webmoney.ru
pay.spacegate.bz
personal.vanguard.com
player.helixcommunity.org
portal.accaglobal.com
portal.bccampus.ca
portal.gs.com
privat24.privatbank.ua
products.appliedbiosystems.com
profile.ea.com
qolps.qub.ac.uk
reach-it.echa.europa.eu
recruit.ap.uci.edu
research.venterinstitute.org
review.ieice.org
rita.nrf.gov.sg
riweb.rotaryintl.org
rr-n1-tor.opensrs.net
rsr-olymp.ru
sa.www4.irs.gov
sailearningconnection.skillport.com
scaccess.communityos.org
schoolalerts.iowa.gov
seal.verisign.com
secure.grepular.com
secure.in.gov
secure.logmein.com
secure.ncjoblinkmis.com
secure.skype.com
secure.ssa.gov
serviceguide.megafonnw.ru
serviceguide.megafonvolga.ru
shop.aafes.com
shop.maxim-ic.com
signup.live.com
slx.sun.com
solvnet.synopsys.com
spaces.internet2.edu
ssl.bing.com
sso.state.mi.us
stat.komet.ru
stat.profintel.ru
store.gearboxsoftware.com
store.omnigroup.com
support.msn.com
testpilot.mozillalabs.com
thepiratebay.org
tickets.landmarktheatres.com
tips.fbi.gov
tms.symantec.com
toefl-registration.ets.org
torstat.xenobite.eu
trac.cakephp.org
twitter.com
ucclaim-wi.org
uce.ieee.org
ugsp.nih.gov
unp.un.org
us.etrade.com
vacancies.gns.cri.nz
webcenter.applyyourself.com
webgis.usc.edu
wfis.wellsfargo.com
wiki.ubuntu.com
wist.echo.nasa.gov
wm.exchanger.ru
www-1.redhatmagazine.com
www.23andme.com
www.24hraccess.com
www.accountonline.com
www.activeu.org
www.annualcreditreport.com
www.arizonavirtualonestop.com
www.artemisia-association.org
www.arvest.com
www.avuecentral.com
www.aw2.army.mil
www.badgeguys.com
www.bankofky.com
www.beartracks.ualberta.ca
www.bluetooth.org
www.bmoinvestorline.com
www.bpn.gov
www.bwin.com
www.capitaller.ru
www.caro.net
www.cci-icc.gc.ca
www.cdproject.net
www.chase.com
www.cia.gov
www.commonapp.org
www.copilot.com
www.cresis.ku.edu
www.cu.edu
www.directvote.net
www.donate.bt.com
www.donhr.navy.mil
www.dreamspark.com
www.dropbox.com
www.dtic.mil
www.e-typedesign.co.uk
www.employflorida.com
www.etde.org
www.fastlane.nsf.gov
www.fpds.gov
www.fsd.gov
www.geezeo.com
www.glgpartners.com
www.gtap.agecon.purdue.edu
www.guardiananytime.com
www.habitat.org
www.healthspace.nhs.uk
www.hedgefundresearch.com
www.hibernate.org
www.hnfs.net
www.hsdl.org
www.huntington.com
www.icsalabs.com
www.imcworldwide.org
www.indianacareerconnect.com
www.inhope.org
www.insight.com
www.intwayfunds.com
www.intwaypassport.com
www.ippc.int
www.it-isac.org
www.jieddo.dod.mil
www.kaiserpermanente.org
www.key.com
www.last.fm
www.mail.yale.edu
www.manpower.usmc.mil
www.medicalcountermeasures.gov
www.mesh.com
www.microplace.com
www.microsoft.com.nsatc.net
www.microsoftfinancing.com
www.mobi-money.ru
www.mochimedia.com
www.moneymail.ru
www.myfloridalicense.com
www.mylookout.com
www.mymeetings.com
www.myresearchproject.org.uk
www.ncoic.org
www.nebraska.gov
www.noridianmedicare.com
www.notams.jcs.mil
www.npdb-hipdb.hrsa.gov
www.nysdot.gov
www.openeco.org
www.optoutprescreen.com
www.or-medicaid.gov
www.paypal-marketing.co.uk
www.paypal-shopping.com
www.paypal.com
www.peoples.com
www.pmf.opm.gov
www.racf.bnl.gov
www.redhat.com
www.regnow.com
www.researchgate.net
www.revisor.mn.gov
www.rhce.ca
www.rkb.us
www.sans.org
www.sbrf.ru
www.securityguidance.com
www.sedex.org.uk
www.seringas.caissedesdepots.fr
www.shakeweight.com
www.shareholder.ru
www.sitelutions.com
www.snapnames.com
www.spdrs.com
www.studentloan.com
www.studyabroad.uiuc.edu
www.sugarsync.com
www.telebank.ru
www.theabfm.org
www.torproject.org
www.trustwave.com
www.uibenefits.dol.ks.gov
www.urs.apply2jobs.com
www.vancity.com
www.virtualizationhero.net
www.webmoney.kz
www.windowsupdate.com
www.x.com
www.yahoo.com
www.yammer.com
www134.americanexpress.com
www2.gotomeeting.com
z-payment.ru
zeustracker.abuse.ch
Credit: The Register, Shadowserver.org
More on CyberInsecure:
Posts
February 1st, 2010 at 8:24 am
My server is on the above list “secure.grepular.com” … It suffered no such attack.
February 1st, 2010 at 8:28 am
Actually… That would explain some stuff I’m seeing in my logs… I just didn’t notice because it hasn’t caused any availability problems.