The Pushdo botnet, a.k.a. “Cutwail” and “Pandex,” has been flooding those sites with bogus SSL connections that stop short of requesting anything from the Website. The infected bots begin to initiate an SSL connection with some “junk” traffic and then disconnect, according to The Shadowserver Foundation. Shadowserver and other researchers have been monitoring the activity, which increased traffic by several million hits across several hundred thousand IP addresses, according to Shadowserver.

The botnet hit the ZeusTracker Website, for example, with hundreds of thousands of different IP addresses within a 24-hour period. “This is a lot of bots generating a lot of traffic,” blogged Steven Adair, a researcher with Shadowserver. Recent code changes to Pushdo resulted in its bots generating the “junk” SSL connections to the 315 Websites, he said.

So what is Pushdo up to? Joe Stewart, director of malware research for Secureworks, says the botnet is making fake SSL connection attempts: Malformed packets cause the server to return an SSL negotiation error. “By adding the initial header of an SSL conversation, they may be attempting to avoid closer scrutiny by less vigilant inspection devices,” Stewart says. “And by sending a flurry of these connections to a number of legit ‘decoy’ sites, it helps the Pushdo C&C [command and control] traffic blend in and remain undetected in some cases,” he says.

It’s unclear thus far whether this is a test-run for phony SSL connections gone amuck that ended up exposing this Pushdo traffic, or something else. Stewart says it’s possible there could be more to the latest activity, such as the botnet’s rotating its target lists. “It’s hard to say,” he says.

Blending in has traditionally been Pushdo’s trademark: Although it’s one of the top five spamming botnets, it’s also one of the more under-the-radar botnets around. But this latest activity has researchers wondering how this massive surge of traffic, which resembles a distributed denial-of-service (DDoS) attack, would ultimately help its traffic blend in and become less detectable.

Shadowserver says the traffic is technically an attack, even though it doesn’t appear to be trying to knock the sites offline like a DDoS does. “We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn’t quite look like a DDoS either,” Adair says.

Secureworks’ Stewart says he has witnessed botnets sending traffic via SSL or port 443, but this phony SSL connection attempt is a first. “The Pushdo C&C protocol now also uses similar packets to encapsulate its encrypted/compressed phone-home requests,” he says. “Port 443 is commonly being used to proxy all kinds of non-SSL traffic by legit applications and bots alike, so it stands to reason that a heuristic one might look for suspicious or firewall-policy-violating traffic connections over port 443 that aren’t using SSL.”

The surge in traffic from Pushdo could cause problems for Websites with limited bandwidth and that typically get only a few hundred to a few thousand hits daily, Shadowserver says.

What’s supposed to be a news article is actually an writeup that explains how Google can supposedly provide online users the opportunity to earn easy money. To make it more convincing, the page also claims to have several positive responses from anonymous online users. Clicking any of the links from the spam website shown above leads to a phishing page.

The page contains a spoofed countdown timer that hopes to make the user panic and quickly fill up the form. Clicking the See If I Qualify button then directs the user to another page containing an affirmation of the user’s qualifications, which will then require him/her to fill up another form with his/her credit card information.

Related phishing schemes have also been found using the same technique but with different keywords other than Google Cash Club. Below are some of the keywords used:

• Make Money with Google
• Google Money Monster
• Google Home Income
• Easy Google Profit
• Google’s Business Kit

Inquiries on the legitimacy of the service have been posted on Google’s support forum, and I agree with what most of the users have posted: Google Cash Club is a scam along with other similar forms of this floating around the internet in different forms of ads.

The simple attack begins with an email message bearing the subject line “Hello,” according to Fred Touchette, senior security analyst at AppRiver. The body of the message reads, “Check areps.at” The message then offers a Facebook link to reply to the message. When users click on the link, they are brought to a fraudulent Facebook page that requests their account information and then routes them to their own Facebook page as it captures the login data, Touchette says. In some cases, the attackers use the login data to immediately change the users’ passwords, effectively locking them out of their accounts.

In addition to areps.at, AppRiver has spotted the same attack coming from several other sources, including bests.at, brunga.at, kirgo.at, nutpick.at, and fcoder.at. These sources bypass some spam filters because they are not structured as full URLs, AppRiver researchers say. The phishing attack is surprisingly simple and not particularly well-concealed, Touchette observes. For example, it doesn’t require CAPTCHA authentication — which Facebook usually does — and the destination URL of the fraudulent login page does not contain the word “Facebook” — which the real logon page does, he notes.

“We’re not sure what the [phishers] were thinking, using such a simple attack and then locking users out of their accounts,” Touchette says. “Usually, in more sophisticated [exploits] the attacker would quietly maintain access to the account for as long as possible, rather than tipping off the victim.”

Both AppRiver and Cloudmark researchers say they expect to see more such attacks on Facebook because of its popularity and the site’s viral nature of communications, which makes it easy for attacks to spread. “Phishing and spam will continue to increase on social networks as users migrate large portions of their Internet activity, such as email, to these properties,” says Adam O’Donnell, Cloudmark’s director of emerging technologies. “Finding a cost-effective mechanism for remediating phished accounts is now a priority for Facebook and other social network sites. They need to figure out how to reset these people’s passwords and contact them without priming their user population for an email-based phishing attack.”

So if anything can be learned from all of this… Don’t ever trust emails from “social websites” that end up asking you for any type of information, or simply link you to another website other than the one it says it is coming from! So stay safe!

Russian-based ElcomSoft has just released ElcomSoft Wireless Security Auditor 1.0, which can take advantage of both Nvidia and ATI GPUs. ElcomSoft claims that the software uses a “proprietary GPU acceleration technology,” which implies that neither CUDA, Stream, nor OpenCL are being utilized in this instance. At its heart, what ElcomSoft Wireless Security Auditor does is perform brute-force dictionary attacks of WPA and WPA2 passwords. If an access point is set up using a fairly insecure password that is based on dictionary words, there is a higher likelihood that a password can be guessed. Brute force attacks that send random dictionary words to an access point can eventually successfully guess the password, if given enough time–the more computational power behind it, the faster the software can send passwords attempts and possibly guess the password. *

“Advanced dictionary attacks with deep mutations attempt multiple variants and combinations of each dictionary word. The mutations can be fine-tuned to employ all or some of the settings such as different letter cases, number substitutions, changing the order of characters, using abbreviations and vowel mutations; 12 configurable mutation settings altogether.”

ElcomSoft positions the software as a way to “audit” wireless network security. However, we’re fairly certain that at least some users will use the software for more nefarious means, such as trying to break into someone else’s wireless network. If you manage a wireless network, you should use passwords that use a combination of upper and lower-case letters, numbers, and symbols (if it supported), use relatively long passwords, and avoid dictionary words–in fact, this is good advice for nearly any type of password–not just for wiresless access points. ElcomSoft Wireless Security Auditor runs on Windows NT SP4, Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. The software ordinarily sells for $1,199, but is currently selling at half price ($599.5) until March 1, 2009.