More on Cyber-Attacks
Saturday, July 11, 2009 at 01:07 PM EDT
Now that a few days have passed since the initial cyber-attacks on US and South Korean Web sites, folks in the security community have managed to collect more information about what is going on, and have obtained and analyzed copies of the attack software. The ShadowServer Foundation has a good write-up on their site. Among other things, the article has a list of the sites that were targeted for attack.
The methods of attack broke no new ground; they included TCP SYN flooding, UDP & ICMP flooding, and HTTP GET request flooding. The attacks were coordinated according to a schedule built into the malware:
Current estimates indicate that the â€œbotnetâ€ of hijacked PCs that carried out the attacks may have included as many as 200,000 computers. It also appears that most of these infected systems are located in South Korea, perhaps as many as 95%. This sort of geographic concentration is unusual, It suggests that a likely method of infection was a â€œdrive-byâ€ download, triggered when the PC user visited a compromised Web site, probably a Korean language one. However, this is only (somewhat) informed speculation at this point:
There are still suggestions that North Korea is somehow behind all this, but no one has produced any actual evidence, as far as I know:
If we look at the list of targets for the attacks, it contains a variety of South Korean and US Web sites. It does seem somewhat plausible that whoever put together the list has anti-American motives, but is not too well informed. For example, one of the targeted sites is that of US Bancorp, www.usbank.com. There is no reason that I know of to single out one commercial bank, except that someone not too familiar with the US might think it was a government agency on account of its name.
There is some evidence that this particular malware, besides conducting DDoD attacks, may become destructive. On or after July 10, if the malware on the infected PC has been able to contact one of the botnetâ€™s controlling machines, it will start to destroy Web and document files on the disk.
If you are at all suspicious that your PC might be infected, or if you observe unusually high network activity, I strongly recommend that you scan your machine with an up-to-date anti-virus program as soon as you can. More technical details are in the ShadowServer article, referenced above.
This article originally appeared on Rich's Random Walks.