In association with heise online

15 July 2009, 12:00

DDoS attacks on South Korea and USA originated in the UK

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The South Korean secret service has blamed North Korea and its 'hacker army' for three waves of DDoS attacks on US and South Korean government and company servers. The botnet of zombie computers, of which 20,000 alone were reported to be located inside South Korea, were not just used for carrying out the DDoS attacks, but also to spread the MyDoom trojan, programmed to delete the host computer's hard drive at a specific time – although erasure only occured in a few cases.

No specific evidence that the attacks were connected with North Korea has been found. Experts from internet security organisation Bach Khoa Internetwork Security (Bkis), which is based at Hanoi University of Technology in Vietnam and is a member of the Asian Pacific Computer Emergency Response Team (ACERT), now claim to have succeeded in hacking two of the eight command and control servers that control the botnet.

This has reportedly enabled them to determine that the IP address of the master server, which is running Windows Server 2003, is and that it is located in the UK. The server IP address has been passed on to KrCERT and US-CERT in order to try to track down the owner. The fact that the master server is located here does not mean that the attackers are from the UK. The perpetrators may have hacked the server in order to use it for the attacks.

Experts from Bkis have reportedly identified the master server behind the attacks.
Zoom Experts from Bkis have reportedly identified the master server behind the attacks.
Source: Bkis

The computer experts also determined the number of zombies being controlled by the eight servers. Initial reports suggested a global botnet made up of up to 60,000 computers, but the actual number in fact proved to be much higher – 166,908 computers located in 74 countries, with the largest numbers found in South Korea, the US, China and Japan.

South Korea's Communications Commission (KCC) has in principle confirmed the Vietnamese experts' analysis. The commission has stated that it is talking to the British government about identifying the source of the attacks. The KCC also points to some inconsistencies with its own analysis, which showed that the zombie computers were working autonomously and were not controlled by a C&C server.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit