A recent report from CNet relates how a botnet is making fake SSL connections to a variety of popular hosts in order to hide the central control center of the botnet.
The list of affected hosts (from the botnet fighters at shadowserver.org) is enormous; it includes hosts from such people as Ubuntu Linux, Twitter, the US CIA, Last.fm, National Science Foundation (NSF), Dropbox, NASA, the US Army, the US Navy, the Pirate Bay, Wisconsin Unemployment Insurance, IEEE, US National Institutes of Health (NIH), Symantec, Sun, and so many more… Shadowserver.org has more about these fake SSL connects in their January calendar.
The Pushdo botnet is responsible; it reportedly has been around since 2007 and is the second largest botnet in the world. TrendMicro did an in-depth analysis of Pushdo a while back. SecureWorks also has a nice analysis of Pushdo as well. Microsoft’s Matt McCormack had a widely read article on Pushdo.
These SSL connections are never completed, and are mostly just a nuisance for web operators. However, on the other hand, the botnet is a serious problem – second largest in the world after all. We can only hope those that are in the know manage to shut it down soon.
UNIX Administratosphere 