Web attacks hit U.S., South Korean sites
Robert Lemos, SecurityFocus 2009-07-08
A widespread distributed denial-of-service attack continued to inundate U.S. government and South Korean Web sites with network traffic on Wednesday, the fourth day of a quickly escalating attack whose targets suggest a connection to the tensions surrounding North Korea.
" It has been going for several days now, and there has been a coordinated restriction of information from the government. And that causes all sorts of issues — people are misinformed and they are jumping to the wrong conclusions. "
Amit Yoran, CEO, NetWitness
The attack appears to have begun on Saturday night, July 4, Pacific time, initially attacking five U.S. government Web sites, according to configuration files of the malicious software used for the attack and obtained by security firm SecureWorks. By Monday evening, the attack had expanded to 26 Web sites, including sites in South Korea and some U.S. commercial sites, said Joe Stewart, director of malicious threat research at SecureWorks. Each time, computers compromised with the bot software, which appeared to share code with the infamous MyDoom family of viruses, were updated with a configuration file that listed the latest targets, Stewart said
In the latest file, distributed on Tuesday, "some of the U.S. sites were taken out and the South Korean sites were added in," he said. The update in the configuration file matched the timing of reported attacks on South Korean sites.
A South Korean blogger publicized his own list of 36 sites that he culled from the code, including banks, newspapers and government Web sites in both South Korea and the United States. Among the U.S. government Web sites were the Department of Homeland Security, the Federal Trade Commission, and the Treasury Department.
While media reports have focused on the targets of the attacks, Jose Nazario, manager of security research for Arbor Networks, stressed that the actual sophistication and power of the denial-of-service attacks were mediocre at best. Data collected in one case indicated an attack of 23 Mbps to 25 Mbps — not large by modern standards — while the bot software showed a lack of understanding of current packing techniques and significant reuse of code from other malware, especially from the MyDoom code base that can be found in certain forums online.
"The writer is not exactly the most talented programmer out there," Nazario said.
Another security professional agreed that the attacker appeared to be an amateur.
"This, in my opinion, is not a very sophisticated attack, and to me, that is disappointing, because these sites should not be collapsing from these attacks," said Michael Sutton, vice president of security research for Zscaler.
The attacks share characteristics of past packet storms that took down high-profile targets. In 2000, a massive denial-of-service attack took down major e-commerce sites, including Amazon.com, CNN.com and Yahoo. Two months after the attacks, a Canadian teenager known as Mafiaboy, was arrested and, the following year, received an eight-month sentence for the attacks. In 2006, gray-hat security firm Blue Security shuttered its business following an extended denial-of-service attack that took down the company's site, a blog service and its domain-name provider. No arrests resulted from an investigation into the attack, which appear to have been launched by spammers.