DDoS attack in March likely N.Korean work, says McAfee

Research by McAfee points to a DDoS attack on South Korea by its northern neighbor

By Martyn Williams, IDG News Service
July 06, 2011 01:59 AM ET

. What's this?

The cyber attacks that paralyzed a handful of major South Korean websites earlier this year were almost certainly carried out by North Korea or parties allied with the country, computer security company McAfee said Tuesday in a report.

The company's analysis, carried out with the help of the South Korean and U.S. governments, is one of the most thorough yet published on the March attacks, and details how they were carried out, and why they were so difficult to counter.

In investigating the incident, the report draws clear parallels with a similar attack that knocked South Korean and U.S. websites offline in 2009 and comes to an unsettling conclusion: the attacks were likely designed to test South Korea's cyber defense and response, and could be the prelude of a much larger attack in the future.

The attack began on March 4 when thousands of computers started bombarding 14 websites with traffic. The sites included prominent government agencies, South Korean companies and the home page of U.S. Forces Korea. The method, called a DDoS (distributed denial of service) attack, is designed to overwhelm the sites with so many requests that they become overloaded. To genuine users they appear very slow or, in many cases, offline.

Related Content

The computers that took part in the attack would have been earlier infected with a piece of malicious software that lay dormant waiting for instructions from control servers, which were themselves compromised computers. In the case of the March attack, these servers made up the middle layer of the infrastructure and were controlled by an additional tier of command computers.

Encryption was used throughout the system to make it more difficult to analyze the messages and computer code. In an extra step to make analysis even more difficult, multiple encryption algorithms were employed at different stages of the system.

The attacks lasted up to 10 days after which time the malicious software was programmed to self-destruct. Key files were deleted and overwritten, and then the master boot record of the disk on which they were stored was corrupted. This would leave the disk unusable, even for the legitimate owner of the computer being used.

After analyzing the attack and how it was carried out, researchers had one big question: Why would you build so much sophistication into software designed to carry out a pretty primitive attack?

"DDoS can be done with software from your local cyber criminal," said Dmitri Alperovitch, vice president of threat research for McAfee Labs, in a telephone interview. "The level of effort that went into this one far exceeds any DDoS botnets until now."

The attack didn't try to evade detection -- taking down major websites is guaranteed to draw attention -- but it did seek to impede analysis of the attack, said Alperovitch. The investigators concluded that the attack was political in nature and had a predetermined and narrow focus.

"It was to test the response of the South Korean government," he said. "When you look at who might do that, one actor jumps off the page. The North Korean government would want to see if a future conflict could have a cyber impact as well as a real-life impact."

The IDG News Service is a Network World affiliate.