hankyoreh

By Koo Bon-kwon, Senior Staff Writer

Over 10,000 “zombie PCs,” infected computers that can then remotely be used for a cyberattack, launched yet another DDoS attack on government websites like Cheong Wa Dae (the presidential office in South Korea or Blue House), the National Intelligence Service (NIS) and Korea Communication Commission (KCC) and 40 corporate websites like Naver and Daum.

On Friday, the KCC said it raised its cyber threat condition two levels to “warning.” “Warning” is the same level as was promulgated during the massive DDoS attack of July 7, 2009. The KCC stressed in particular that infected zombie PCs infected with malware should be treated with a specialized vaccine as the commission believed even hard drives could be destroyed by the infection.

The National Police’s Cyber Terror Response Center believe the hosts spreading the malicious code were the P2P sites “Sharebox” and “Superdown” and have begun a full-scale investigation into the exact source of the attack. The Korea Internet Security Agency (KISA) said about 13,000 infected zombie PCs were involved in the attack as of 4pm Friday, and that it was lessoning the damage by providing vaccines to infected computers through high-speed Internet providers. During the 2009 DDoS attack, about 130,000 zombie PCs were involved. AhnLab said the code began spreading through P2P sites at around 7 to 9 a.m. Thursday, and through analysis of the code it predicted another attack at around 6:30 p.m. Friday.

The KCC said infected PCs would launch another attack on 29 websites at 10:45 a.m. Saturday, and it expected the code would destroy the infected computer’s own hard drive. It urged all Internet users to immediately download the vaccine from www.boho.or.kr and scan their computers immediately.

This DDoS attack followed a similar method as the July 7, 2009 attack. The attack hacked at P2P site, planted malicious code and used it as a host site for the infection, and the malware is divided into seven files that update successively. Moreover, the zombie PCs infected with the code simultaneously connect to 28 servers to receive the hackers’ orders; afterwards, the computers would either carry out the attacker’s orders or launch attacks on major security-related websites such as Cheong Wa Dae, NIS, Defense Ministry or USFK. Another commonality is that the ID of the attacker is unknown, and it is not easy to guess his objective.

What is different about this attack is that all 40 harmed websites were local, and that the code not just drives up traffic to the attacked sites, but also directly raises the server load. The attack shows more sophistication, as the code has improved survivability by blocking the automatic update function of commercial anti-virus software.

Kim Hong-sun, the president of AhnLab, said intermittent small-scale DDoS attacks were taking place, and that since the July 7, 2009 DDoS attack, the attacking code has evolved, making analysis difficult. In particular, the reality is that when malicious code is hidden in files of Webhard and P2P sites frequently used by Korean Internet users, it’s hard to detect them prior to their activation and respond ahead of time. The code used by the hackers is not more than a few dozen kilobytes, and if the function is split amongst several independent files, it is also difficult to analyze the entire attack method.

Please direct questions or comments to [englishhani@hani.co.kr]