U.S. and South Korean Sites Among Those Hit by (Somewhat) Massive Cyberattack
Talk of cyberwar is in the air after more than two dozen high-level websites in the United States and South Korea were hit by denial-of-service attacks this week. But cooler heads are pointing to a pilfered five-year-old worm as the source of the traffic, under control of an unsophisticated hacker who apparently did little to bolster his borrowed code against detection.
Nonetheless, the attacks have launched a thousand headlines (or thereabouts) and helped to throw kindling on some long-standing international political flames — with one sworn enemy blaming another for the aggression.
Welcome to the New World Order of cybersecurity.
As reported by numerous media outlets this week, websites belonging to the White House, Department of Homeland Security, U.S. Secret Service, National Security Agency, Federal Trade Commission, Department of Defense and the State Department, as well as sites for the New York Stock Exchange and Nasdaq were hit by denial-of-service attacks over the July 4th holiday weekend. The Washington Post website was also reportedly affected by the attacks, launched by a botnet of more than 50,000 computers in several countries (mostly China, South Korea and Japan, according to Whois records) controlled by the hacker.
Then on Tuesday, at least 11 sites in South Korea, including sites for the Ministry of Defense and the presidential Blue House, were also targeted, leading the Associated Press to publish a story prominently quoting anonymous South Korean intelligence officials blaming the attacks on North Korea.
Security experts who examined code used in the attack say it appears to have been delivered to machines through the MyDoom worm, a piece of malware first discovered in January 2004 and appearing in numerous variants since. The Mytob virus might have been used, as well.
Both programs infect PCs running various versions of the Windows operating system. MyDoom is delivered through an infected e-mail attachment and was spread through the Kazaa file-sharing network when it first came out. Once a user clicks on the attachment, the worm roots through the victim’s e-mail contact list and mails itself to everyone on the list. The initial malware in 2004 was programmed to launch a denial-of-service attack against a site for the SCO Group, which had filed an intellectual property suit against IBM over its alleged use of Linux code. The attack was programmed to launch February 1, 2004 and end February 12, sending a request to the website every millisecond. MyDoom was considered the fastest-spreading worm at the time.
In the recent attack, experts say the malware used no sophisticated techniques to evade detection by anti-virus software and doesn’t appear to have been written by someone experienced in coding malware. The author’s use of a pre-written worm to deliver the code also suggests the attacker probably wasn’t thinking of a long-term attack.
“The fact that it’s using older threats isn’t a terribly stealthy attack,” says Dean Turner, director of Symantec’s Global Intelligence Network. “And the fact that it’s re-using code could indicate that somebody put it together in a hurry or that, as with most DDoS attacks, their purpose is mostly nuisance. It didn’t require a degree in rocket science to pull that stuff together.”
Although he acknowledges that, given the length of time this attack has continued, it’s “pretty significant.”
Joe Stewart, a security researcher at SecureWorks says the code he examined, which was written in Visual C++, was compiled on July 3, two days before the first attacks. Although Stewart says analysis of the attack is still in its early stages, he concurs that the attacker’s motivation was fairly routine.
“Usually you see a DDoS attack against one or two sites and it will be for one of two reasons — they have some beef with those sites or they’re trying to extort money from those sites,” he says. “To just attack a wide array of government sites like this, especially high-profile, just suggests that maybe the entire point is just to get attention to make some headlines rather than to actually do any kind of damage.”
Denial-of-service attacks are one of the least sophisticated kinds of attacks a hacker can launch and have been around for nearly as long as e-commerce. But their strength and reach has increased since the advent of botnets — where hackers take control of thousands of machines by getting users to inadvertently click on files containing malware that allows them to remotely control the machines. The hackers then use the machines to launch attacks on websites. The only reason this one seems to have caught the public eye is because so many government sites were targeted at once.
“The breadth of the attack is unusual,” Stewart says.
The malware is designed to contact various servers to obtain new lists of targets. The first list had only five targets — all U.S. government sites. A second list used by the malware on July 6 had 21 targets, all U.S. government and commercial sector sites, including e-commerce and media sites. A list on the 7th switched out some of the U.S. sites for ones in South Korea. The total number of sites known to be targeted so far is 39, Stewart says, although the list could be augmented as the days pass.
Not all the sites were crippled by the attack. Most of the U.S. sites recovered quickly, but a site for the Federal Trade Commission, Department of Transportation and Secret Service continued to have problems for a day or more.
The Department of Homeland Security, which oversees the U.S. Computer Emergency Response Team, said in a statement that as of last night, all federal websites were back up and running. Spokeswoman Amy Kudwa also said that US-CERT had issued a notice to federal departments and agencies advising them of steps to take to help mitigate against such attacks.
“We see attacks on federal networks every single day, and measures in place have minimized the impact to federal websites,” she said. “US-CERT will continue to work with its federal partners and the private sector to address this activity.”