McAfee: South Korea botnet self-destructed after DDoS

South Korean and US military websites were struck by a hit-and-run distributed denial-of-service attack that self-destructed after 10 days, according to security company McAfee.

Read this

Anonymous and DDoS: I predict a riot

Read more

The attack, which began on 4 March, 2011 and continued for 10 days, was launched from a network of compromised computers in South Korea. Once the attack ceased, the bots destroyed the host operating systems, forcing users to reinstall Windows.

"After the DDoS, the malware wiped the master boot record, creating extra problems for civilian users, wrecking the botnet and voluntarily destroying the infected machines' [operating systems]," McAfee researcher Georg Wicherski told ZDNet UK on Wednesday.

Botnets are normally preserved by their operators — the compromised computers can often be repurposed, and used to generate revenue.

While the aim of the attacks was simply to bludgeon South Korean military, banking and government websites, the methodology used was complex.

The botnet command and control servers were arranged in multiple tiers according to a McAfee report (PDF) issued on Wednesday, while commands were sent to the bots in the form of encrypted binaries. A number of different encryption ciphers were used, including the US government standard AES, throughout the files.

"It's not really necessary to use such a strong algorithm unless you want to delay analysis for as long as possible," said Wicherski.

North Korea

The attacks had significant similarities to DDoS attacks launched against South Korea in 2009, McAfee said in the report. Both the 2009 and 2011 attacks may have been launched by North Korea as a test of the South Korean response time, and as a show of strength, said Wicherski.

"South Korea took some time to mitigate the attacks," said Wicherski. "Another possibility was psychological warfare — frightening the South Korean population by saying 'Yes, we have the ability to take down your military websites' — although it was just the public-facing webservers that were attacked."

Wicherski added that the attack was "very likely" to have been launched by North Korea, and that the codebase was the same in both the 2009 and 2011 attacks.

McAfee researcher Dmitri Alperovitch told ZDNet UK on Thursday that attack methodologies were similar for the two attacks.

"There are intent-based indications that [North Korea] is the most likely suspect, and we were also able to link with 95-percent confidence that the 2009 and 2011 events were connected, and perpetrated by the same actor," said Alperovitch.

Governments are becoming increasingly interested in cyberattacks, cybercrime and espionage. On Tuesday, the UK government gave its backing to an initiative called the International Cyber Security Protection Alliance (Icspa), which seeks to train police forces to handle high-tech crime and bring closer international co-operation on cybercrime.