LONDON, 11 AUGUST 2009 - The investigation into the attacks against high-profile Web sites in South Korea and the U.S. is a winding, twisty electronic goose chase that may not result in a definitive conclusion on the identity of the attackers.
Computer security experts disagree over the skill level of the DDOS (distributed denial-of-service) attacks, which over the course of a few days in early July caused problems for some of the Web sites targeted, including South Korean banks, U.S. government agencies and media outlets.
The DDOS attack was executed by a botnet, or a group of computers infected with malicious software controlled by a hacker. That malware was programmed to attack the Web sites by bombarding them with page requests that far exceed normal visitor traffic. As a result, some of the weaker sites buckled.
While there are hundreds of DDOS attacks that occur every day, the one from last month has interesting characteristics. First, it was carried out using a botnet of up to an estimated 180,000 computers that was almost entirely located within South Korea.
"It's very rare to see a botnet of that size so localized," said Steven Adair of The Shadowserver Foundation, a cybercrime watchdog group. "Large-size botnets do usually take time to build up and a lot of effort from attackers."
And basic questions appear to be unanswered, such as how the attackers were able to infect such a large number of computers in South Korea with the specific code that commandeered the computers to attack a list of Web sites.
The investigation has geopolitical ramifications. South Korea's National Intelligence Service reportedly told the country's lawmakers early last month that it suspected North Korea was involved. Despite no definitive public evidence linking North Korea to the DDOS attacks, the country's hardline demeanor makes it a convenient actor to blame given its prickly relations with the U.S. and South Korea.
The botnet, which is now inactive, appeared to be custom-built for the attacks. Many times people who want to knock a Web site offline will rent time on a botnet from its controller, known as a botnet herder, paying a small fee per machine, such as US$.20. Botnets can also be used for Internet activity, such as sending spam.
Analysts do know that the computers comprising the botnet had been infected with a variation of MyDoom, a piece of malicious software that repeatedly mails itself out to other computers once it has infected a PC. MyDoom debuted with devastating consequences in 2004, becoming the fastest spreading e-mail worm in history. It is now routinely cleansed from PCs that are running antivirus software, though many computers don't have such protective software installed.
Sign up for Computerworld eNewsletters.