Attacks on US, Korea Web sites leave a winding trail

Investigators are chasing IP addresses and collecting human intelligence to nab perpetrators

The investigation into the attacks against high-profile Web sites in South Korea and the U.S. is a winding, twisty electronic goose chase that may not result in a definitive conclusion on the identity of the attackers.

Computer security experts disagree over the skill level of the DDOS (distributed denial-of-service) attacks, which over the course of a few days in early July caused problems for some of the Web sites targeted, including South Korean banks, U.S. government agencies and media outlets.

The DDOS attack was executed by a botnet, or a group of computers infected with malicious software controlled by a hacker. That malware was programmed to attack the Web sites by bombarding them with page requests that far exceed normal visitor traffic. As a result, some of the weaker sites buckled.

While there are hundreds of DDOS attacks that occur every day, the one from last month has interesting characteristics. First, it was carried out using a botnet of up to an estimated 180,000 computers that was almost entirely located within South Korea.

"It's very rare to see a botnet of that size so localized," said Steven Adair of The Shadowserver Foundation, a cybercrime watchdog group.

"Large-size botnets do usually take time to build up and a lot of effort from attackers."

And basic questions appear to be unanswered, such as how the attackers were able to infect such a large number of computers in South Korea with the specific code that commandeered the computers to attack a list of Web sites.

The investigation has geopolitical ramifications. South Korea's National Intelligence Service reportedly told the country's lawmakers early last month that it suspected North Korea was involved.

Despite no definitive public evidence linking North Korea to the DDOS attacks, the country's hardline demeanor makes it a convenient actor to blame given its prickly relations with the U.S. and South Korea.

The botnet, which is now inactive, appeared to be custom-built for the attacks. Many times people who want to knock a Web site offline will rent time on a botnet from its controller, known as a botnet herder, paying a small fee per machine, such as US$.20. Botnets can also be used for Internet activity, such as sending spam.

Analysts do know that the computers comprising the botnet had been infected with a variation of MyDoom, a piece of malicious software that repeatedly mails itself out to other computers once it has infected a PC.

MyDoom debuted with devastating consequences in 2004, becoming the fastest spreading e-mail worm in history. It is now routinely cleansed from PCs that are running antivirus software, though many computers don't have such protective software installed.

The MyDoom code has been called amateurish, but it was nonetheless effective. The command and control structure for delivering instructions to computers infected with MyDoom used eight main servers that were scattered around the world. But there also was a labyrinthine group of subordinate command and control servers that made it more difficult to trace.

"It is difficult to find the real attacker," said Sang-keun Jang, a virus analyst and security engineer with the security company Hauri, based in Seoul.

IP (Internet Protocol) addresses -- which at most can identify approximately where a computer is plugged in on a network but not its precise location or who is operating the computer -- only give investigators so much information to go on.

Open Wi-Fi hotspots can allow an attacker to change IP addresses frequently, said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, a nonprofit research institute.

"Anonymous attacks are going to be a fact of life," Borg said. "That has big policy implications. If you can't attribute quickly and with confidence, then most strategies based on deterrence are no longer viable. There's a big revolution that is already under way and needs to be carried out in our defense thinking."

For the South Korea-U.S. DDOS attacks, one security company is taking the approach of following the money. Many DDOS attacks are actually paid transactions, and where there is money, there is some trail.

"Going after IP addresses is not really helpful," said Max Becker, CTO of Ultrascan Knowledge Process Outsourcing, a subsidiary of fraud investigation firm Ultrascan.

"What we are trying to do is go after the people who set up and pay for these kinds of attacks."

Ultrascan has a network of informants who are closed to organized criminal gangs in Asia, many of which are involved in cybercrime, said Frank Engelsman, an investigator with Ultrascan based in the Netherlands.

One question is whether it could be proved a criminal group had been paid by North Korea to carry out the attacks, Engelsman said.

That could take a lot of investigative work. But it may be easier than that.

Cybercriminals make mistakes, such as earlier this year when researchers uncovered a global spying network called "GhostNet" that infected computers belonging to Tibetan nongovernmental organizations, the private office of the Dalai Lama and embassies of more than a dozen countries.

A Google search by researcher Nart Villeneuve turned up some of the most damning evidence -- an unencrypted server indexed by the search engine.

From spelling mistakes, to e-mail addresses to coding errors, attackers can leave clues that could turn a cold trail hot.

"You know where the mistakes are likely to be made," said Steve Santorelli, director of global outreach for Team Cymru, a nonprofit Internet security research firm. "You can turn over the right rocks quickly."

And Santorelli added: "Google doesn't forget anything."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cyber attacksUSA governmentddos

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?