DDoS attacks with zombie computers – 'North Korea's powerful hacker army'?

It is still not clear who is behind the DDoS attacks against South Korean and US government websites over the last few days. The NIS, South Korea's secret service agency, has reported that the co-ordinated attacks, using a botnet consisting of tens of thousands of computers, can be traced back to 86 IP addresses from 16 different countries, including Germany, Austria, Georgia, Japan, China and the USA. North Korea is notably absent from this list. Access to these computers from South Korea has been blocked.

In view of heightening tensions on the Korean peninsula, the NIS suspects North Korea of being behind the attacks, although it has not been able to present any evidence to support this suspicion. In May, secret service staff reiterated their view that North Korea has put together a cyber-warfare unit composed of 100 or more hackers. They say this unit attempts to hack into South Korean and US websites in order to steal information. However, this is a claim they have been being making for several years. The Chosun Ilbo newspaper, which has also been targeted in the attacks, speaks of "North Korea's powerful hacker army". Prime Minister Han Seung-soo described the events as "an attack against the national system and a provocation threatening national security".

The opposition has meanwhile accused the government of seeking a scapegoat in blaming North Korea. Some also see a connection with the fact that in late June, South Korea, following a similar announcement from the Pentagon, announced its intention to enhance its capabilities for waging and defending against cyber-warfare and plans to create its own cyber-warfare command.

Yesterday (Thursday), a third wave of attacks took place, aimed primarily at South Korean websites, including the National Assembly, the Defence Ministry, Kookmin Bank, the Chosun Ilbo newspaper and a number of online portals. Almost 20,000 computers are reported to be infected and acting as zombies in South Korea itself.

The Korea Information Security Agency has stated that the trojan installed on these computers, a version of the Mydoom worm, also contains a program which deletes data on infected computers. To date, data is known to have been deleted from 96 computers; although the authorities are assuming that the actual number is higher. According to the KCC, the program, which is installed on more than 20,000 computers, is expected to start deleting information from hard drives today. However, since access to the 86 servers from which the malware is copied has been blocked, they are hoping that the damage will be limited. They are also confident that there will be no fourth wave of attacks. The government is urging Koreans to better protect their computers. Programs for deleting the trojan are available from, among others, Hauri and Ahnlab.

According to Joe Stewart of SecureWorks, the program downloaded by the trojan will overwrite infected computers' hard drives with the message "memory of the independence day" and as many letter 'u's as are required to delete all data.

(djwm)