Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Pushdo Update - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Pushdo Update

As mentioned in an older diary [1], "" is one of the targets singled out by the Pushdo bots. At this point, it is not clear what the intention is of the this botnet. If its intention is a denial of service attack, then it failed. It does not appear that any of the sites listed experiences significant Pushdo related outages. We reported earlier about a Bank of America outage, but in hindsight, this outage appears to be unrelated to Pushdo and has been resolved.

We took the opportunity presented by pushdo attacking "", and collected some traffic for further analysis. receives a good amount of legitimate https traffic as well, which made isolating the Pushdo traffic a bit challenging. We focused on a slice of about 10 minutes worth of traffic to ease analysis.

I used the following two snort rules to isolate the traffic:

alert tcp any 443 -> any any (content: "|15 03 00|"; depth: 3; msg: "SSL 3 Illegal Parameter"; sid: 1000001)
alert tcp any any -> any 443 ( msg:"Pushdo DoS Request - July 17, 1970 timestamp"; content:"|16|";
     within:1; content:"|01|"; depth:6; content:"|01 01 01 01|"; within:16; sid:10000002;)

One pattern Pushdo exhibits is the use of malformed SSL Helo requests after the TCP connection is established. The server will respond to these requests with an SSL error. The first rule tries to match the SSL error, while the second rule looks for the Pushdo request.

The most aggressive pushdo infected hosts appear to establish a connection about once a minute. We identified about 10k host attacking According to some reports, Pushdo will also just establish a TCP connection, and then just sit without actually sending the SSL Helo message. 

All this is consistent with Pushdo being a simple DDoS bot. The impact is limited at this point, in part due to the firepower of the botnet being spread across a large number of targets. For more details on Pushdo, see Shadowserver's blog posting [2].


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4478 Posts
ISC Handler
Feb 2nd 2010
So this is pre-encrypted traffic since it's a helo msg right?

Those sigs look to be recipes for false positives. Do you have an IP range you can close it in on?

Sign Up for Free or Log In to start participating in the conversation!