Details Emerge In U.S. Cyber Attacks

Malware that targeted Web sites of The White House, Department of Homeland Security, the FAA, and others appears to be a MyDoom variant.
Organizations can take several steps to stop the effectiveness of DDOS attacks, including isolating and blocking offending IP addresses, distributing network traffic across multiple network connections and network devices in order to dilute attack traffic, buying DDOS protection services from cybersecurity vendors, and developing and carrying out detailed response plans.

"It's nothing we haven't been talking about," said Dave Marcus, director of security research for McAfee's Avert Labs. "It's something that we've been seeing in the private sector for years. If nothing else, it serves as a wake up call."

Though several of the Web sites under attack experienced some downtime, many of them were back online by Wednesday. Web sites for the Korean president, legislature, Ministry of Foreign Affairs, and Ministry of Defense were reportedly all offline as late as Wednesday, but this reporter was able to reach all but the Ministry of Defense site by Wednesday morning Eastern Daylight Time.

The Web site for the Federal Trade Commission was down most of Monday and experienced problems on Tuesday, but a spokesman was unable to say whether this was a result of the DDOS attack.

According to reports by the Associated Press and Korean news agency Yonhap, South Korean government officials believe the attacks have been carried out by North Korean or pro-North Korean entities. Researchers say it is unclear if this is actually the case, and would be tough to prove without detailed forensic analysis.

Malware Bears Marks Of 'Novice' Writer

Researchers also say that the botnet does not take advantage of some of the latest developments in malware. For example, the malware doesn't include any anti-virus evasion techniques, which are commonly found in today's malware. To Joe Stewart, director of malware research for SecureWorks' counter-threat unit, that's a sign that the person or group who developed this attack was a novice in writing malware.

Verisign and McAfee say the versions they have tested in their labs do not appear to be able to self-update to receive new targets, but SecureWorks says it has proven that capability is indeed there, and that the malware uses "rudimentary" encryption to receive updates.

In that case, analyzing network connections during those updates in pursuit of the hackers is likely of little use, Stewart said, because the hacker could easily mask those home IP addresses by setting up proxies to make them appear as if they were anywhere in the world.

If the number of targets is increasing, the attacker is also limiting the effectiveness of the attack by spreading the botnet thinner, so that fewer requests are available to be sent to each target. "They're diluting their attack, so it seems the purpose here is really to get attention rather than taking all those sites down," Stewart said.

Marcus also says that the malware was likely designed with this specific attack in mind, though for a different reason: it is "monolithic as opposed to modular, and things are hard-coded into it," he says, which makes it less flexible for long-term development and evolution.

Some of the initial research has suggested that the malware may be a variant of or share some underlying code with MyDoom, a worm that spread quickly via e-mail more than five years ago, in early 2004. Several virus detection mechanisms detect the malware as a MyDoom variant, and both Verisign iDefense and McAfee say the malware is nothing more than a MyDoom variant.

Attend a virtual event on dealing with dealing with security threats from inside your company. It happens July 15. Find out more and register.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading