Details Emerge In U.S. Cyber Attacks

The distributed denial of service (DDOS) attack that has hit more than two dozen United States and South Korean government agencies and companies since the weekend does not make use of some of the latest developments in malware and was likely developed for this specific attack, according to researchers in possession of the malware source code.

The attack, which attempts to flood Web servers with initial requests to connect, temporarily took down several federal government Web sites in the United States and Korea over the past few days, though most are back online.

The targets, according to a list compiled by Verisign iDefense, include the Web sites of The White House, the Department of Homeland Security, the Department of Defense and the Federal Aviation Administration as well as The New York Stock Exchange, NASDAQ, and The Washington Post.

Several agencies, including two not on Verisign's list of 24 targets, confirmed to InformationWeek Government that they had been under attack. The Department of Treasury said it has experienced denial of service attacks over the past few days. The Department of Transportation, meanwhile, said it has been "experiencing network incidents" since the weekend and is cooperating with the United States Computer Emergency Response Team (US-CERT), one of the parties working to mitigate the attacks.

"US-CERT has issued a notice to federal departments and agencies, as well as other partner organizations, on this activity and advised them of steps to take to help mitigate against such attacks," a Department of Homeland Security spokeswoman said in an e-mailed statement. "We see attacks on federal networks every day, and measures in place have minimized the impact to federal websites.”

Cybersecurity has become an increasingly high priority for the federal government, and President Barack Obama recently laid out plans to appoint a new high-level cybersecurity coordinator. Secretary of Defense Robert Gates recently said that the military had spent more than $100 million over six months responding to cyber attacks.

DDOS attacks have targeted the private sector for years and many companies have taken protective measures, but recent cyber attacks on Estonia and Georgia as well as this one could portend an increase in politically motivated attacks.

"It's no longer hackers defacing Web sites to become famous," says Phil Neray, VP of strategy at database security company Guardium. "It's political cyberterrorism, which is a very serious threat." Organizations can take several steps to stop the effectiveness of DDOS attacks, including isolating and blocking offending IP addresses, distributing network traffic across multiple network connections and network devices in order to dilute attack traffic, buying DDOS protection services from cybersecurity vendors, and developing and carrying out detailed response plans.

"It's nothing we haven't been talking about," said Dave Marcus, director of security research for McAfee's Avert Labs. "It's something that we've been seeing in the private sector for years. If nothing else, it serves as a wake up call."

Though several of the Web sites under attack experienced some downtime, many of them were back online by Wednesday. Web sites for the Korean president, legislature, Ministry of Foreign Affairs, and Ministry of Defense were reportedly all offline as late as Wednesday, but this reporter was able to reach all but the Ministry of Defense site by Wednesday morning Eastern Daylight Time.

The Web site for the Federal Trade Commission was down most of Monday and experienced problems on Tuesday, but a spokesman was unable to say whether this was a result of the DDOS attack.

According to reports by the Associated Press and Korean news agency Yonhap, South Korean government officials believe the attacks have been carried out by North Korean or pro-North Korean entities. Researchers say it is unclear if this is actually the case, and would be tough to prove without detailed forensic analysis.

Malware Bears Marks Of 'Novice' Writer

Researchers also say that the botnet does not take advantage of some of the latest developments in malware. For example, the malware doesn't include any anti-virus evasion techniques, which are commonly found in today's malware. To Joe Stewart, director of malware research for SecureWorks' counter-threat unit, that's a sign that the person or group who developed this attack was a novice in writing malware.

Verisign and McAfee say the versions they have tested in their labs do not appear to be able to self-update to receive new targets, but SecureWorks says it has proven that capability is indeed there, and that the malware uses "rudimentary" encryption to receive updates.

In that case, analyzing network connections during those updates in pursuit of the hackers is likely of little use, Stewart said, because the hacker could easily mask those home IP addresses by setting up proxies to make them appear as if they were anywhere in the world.

If the number of targets is increasing, the attacker is also limiting the effectiveness of the attack by spreading the botnet thinner, so that fewer requests are available to be sent to each target. "They're diluting their attack, so it seems the purpose here is really to get attention rather than taking all those sites down," Stewart said.

Marcus also says that the malware was likely designed with this specific attack in mind, though for a different reason: it is "monolithic as opposed to modular, and things are hard-coded into it," he says, which makes it less flexible for long-term development and evolution.

Some of the initial research has suggested that the malware may be a variant of or share some underlying code with MyDoom, a worm that spread quickly via e-mail more than five years ago, in early 2004. Several virus detection mechanisms detect the malware as a MyDoom variant, and both Verisign iDefense and McAfee say the malware is nothing more than a MyDoom variant.

Attend a virtual event on dealing with dealing with security threats from inside your company. It happens July 15. Find out more and register.