Creative Commons License

More on Cyber-Attacks

Saturday, July 11, 2009 at 01:07 PM EDT

Now that a few days have passed since the initial cyber-attacks on US and South Korean Web sites, folks in the security community have managed to collect more information about what is going on, and have obtained and analyzed copies of the attack software. The ShadowServer Foundation has a good write-up on their site. Among other things, the article has a list of the sites that were targeted for attack.

The methods of attack broke no new ground; they included TCP SYN flooding, UDP & ICMP flooding, and HTTP GET request flooding. The attacks were coordinated according to a schedule built into the malware:

Infected systems would start DDoS’ing portion of the above list of targets at specified times. The malware would send millions of packets of DDoS traffic to these targets should the machine be left on over this period of time. In case you were wondering.. that’s a lot of traffic.

Current estimates indicate that the “botnet” of hijacked PCs that carried out the attacks may have included as many as 200,000 computers. It also appears that most of these infected systems are located in South Korea, perhaps as many as 95%. This sort of geographic concentration is unusual, It suggests that a likely method of infection was a “drive-by” download, triggered when the PC user visited a compromised Web site, probably a Korean language one. However, this is only (somewhat) informed speculation at this point:

As of the time of this posting on July 10, 2009, we are *NOT* aware of anyone that has identified a mechanism by which this malware spreads or how it ended up on so many systems — especially Korean systems.

There are still suggestions that North Korea is somehow behind all this, but no one has produced any actual evidence, as far as I know:

First we have seen no evidence to point a finger at North Korea.

If we look at the list of targets for the attacks, it contains a variety of South Korean and US Web sites. It does seem somewhat plausible that whoever put together the list has anti-American motives, but is not too well informed. For example, one of the targeted sites is that of US Bancorp, www.usbank.com. There is no reason that I know of to single out one commercial bank, except that someone not too familiar with the US might think it was a government agency on account of its name.

There is some evidence that this particular malware, besides conducting DDoD attacks, may become destructive. On or after July 10, if the malware on the infected PC has been able to contact one of the botnet’s controlling machines, it will start to destroy Web and document files on the disk.

If you are at all suspicious that your PC might be infected, or if you observe unusually high network activity, I strongly recommend that you scan your machine with an up-to-date anti-virus program as soon as you can. More technical details are in the ShadowServer article, referenced above.