The MyDoom code has been called amateurish, but it was nonetheless effective. The command and control structure for delivering instructions to computers infected with MyDoom used eight main servers that were scattered around the world. But there also was a labyrinthine group of subordinate command and control servers that made it more difficult to trace.
"It is difficult to find the real attacker," said Sang-keun Jang, a virus analyst and security engineer with the security company Hauri, based in Seoul.
IP (Internet Protocol) addresses -- which at most can identify approximately where a computer is plugged in on a network but not its precise location or who is operating the computer -- only give investigators so much information to go on. Open Wi-Fi hotspots can allow an attacker to change IP addresses frequently, said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, a nonprofit research institute.
"Anonymous attacks are going to be a fact of life," Borg said. "That has big policy implications. If you can't attribute quickly and with confidence, then most strategies based on deterrence are no longer viable. There's a big revolution that is already under way and needs to be carried out in our defense thinking."
For the South Korea-U.S. DDOS attacks, one security company is taking the approach of following the money. Many DDOS attacks are actually paid transactions, and where there is money, there is some trail.
"Going after IP addresses is not really helpful," said Max Becker, CTO of Ultrascan Knowledge Process Outsourcing, a subsidiary of fraud investigation firm Ultrascan. "What we are trying to do is go after the people who set up and pay for these kinds of attacks."
Ultrascan has a network of informants who are closed to organized criminal gangs in Asia, many of which are involved in cybercrime, said Frank Engelsman, an investigator with Ultrascan based in the Netherlands. One question is whether it could be proved a criminal group had been paid by North Korea to carry out the attacks, Engelsman said.
That could take a lot of investigative work. But it may be easier than that.
Cybercriminals make mistakes, such as earlier this year when researchers uncovered a global spying network called "GhostNet" that infected computers belonging to Tibetan nongovernmental organizations, the private office of the Dalai Lama and embassies of more than a dozen countries. A Google search by researcher Nart Villeneuve turned up some of the most damning evidence -- an unencrypted server indexed by the search engine.
From spelling mistakes, to e-mail addresses to coding errors, attackers can leave clues that could turn a cold trail hot.
"You know where the mistakes are likely to be made," said Steve Santorelli, director of global outreach for Team Cymru, a nonprofit Internet security research firm. "You can turn over the right rocks quickly."
And Santorelli added: "Google doesn't forget anything."
Sign up for Computerworld eNewsletters.