Timeline and Targets
On July 4, 2009, Independence Day in the United States, it is believed that an unknown botnet began attacking a predefined set of targets, all which were located in the United States:
evisaforms.state.govIt can be assumed that most of these sites have 24/7 monitoring and became aware of the increased traffic sometime between July 4th and July 5th. Service providers of the above web sites would have been put on alert. Limited number of security professionals became briefed and involved.
faa.gov
finance.yahoo.com
travel.state.gov
whitehouse.gov
www.amazon.com
www.defenselink.mil
www.dhs.gov
www.dot.gov
www.faa.gov
www.ftc.gov
www.marketwatch.com
www.nasdaq.com
www.nsa.gov
www.nyse.com
www.site-by-site.com
www.state.gov
www.usauctionslive.com
www.usbank.com
www.usps.gov
www.ustreas.gov
www.voa.gov
www.voanews.com
www.whitehouse.gov
www.yahoo.com
July 7th US Government is fully aware and mitigating the attack. Understanding of attack is well underway. Ability to filter and identify attacking IPs is possible. An estimated 50,000 suspicious IPs had been identified. General public still not aware of attacks. US Government and security professionals involved with mitigation seem to be the only people aware of attack.
July 7th The configuration file on the botnet changed to target these sites:
banking.nonghyup.comJuly 8th Reports start surfacing in the media about DDOS attack on US and South Korea. The media and public becoming aware of the DDOS due to the configuration change in the botnet as South Korean sites and more publicly visited sites began to be targeted and service became interrupted.
blog.naver.com
ebank.keb.co.kr
ezbank.shinhan.com
finance.yahoo.com
mail.daum.net
mail.naver.com
mail.paran.com
www.ahnlab.com
www.altools.co.kr
www.assembly.go.kr
www.auction.co.kr
www.chosun.com
www.defenselink.mil
www.dhs.gov
www.egov.go.kr
www.faa.gov
www.hanabank.com
www.hannara.or.kr
www.ibk.co.kr
www.kbstar.com
www.mnd.go.kr
www.mofat.go.kr
www.nasdaq.com
www.ncsc.go.kr
www.nyse.com
www.president.go.kr
www.state.gov
www.usauctionslive.com
www.usbank.com
www.usfk.mil
www.ustreas.gov
www.voanews.com
www.washingtonpost.com
www.whitehouse.gov
www.wooribank.com
July 8th and 9th Security professionals get their hands on the malware code for the bots. Begin reverse engineering and analyzing attack more in-depth. Malware identified as Win-Trojan/Agent.67072.DL
July 10th Malware on bots activate self destruct mechanism. When system date is July 10, 2009 key files are deleted and the malware destroys the PCs Master Boot Record rending bot and machine unusable.
July 11th Reports on DDOS begin surfacing by security professionals as it is believed attacks are over and service has been restored to all targeted sites.
Malware
The malware has been obtained by security experts and analyzed. It targets Windows machines and appears to be related to the MyDoom source code of 2003 and 2004. Some of the files identified for this attack are:
msiexec1.exeOnce msiexec1.exe runs on the victim machine it will attempt to call home at these three IP addresses:
pxdrv.nls
wmiconf.dll
wmcfg.exe
wversion.exe
mstimer.dll
perfvmr.dll
flash.gif
win.ini
213.23.243.210:443Once the victim machine calls home it obtains updated information and becomes a bot. Once a bot, a single user or group of people can control the botnet and make the machines do malicious things like a DDOS on certain sites as we saw this week. Botnets are common and there is a whole underground economy for them. It is very strange however (and still being investigated) that this botnet came out of nowhere, attacked for a week, and is now probably completely selfdestructied leaving computer users without a working system. For a full malware analysis take a look at Sang-Keun Jang's analysis or Ahnlab's malware report.
213.33.116.41:53
216.199.83.203:80
The DDOS Attack
A DDOS or Distributed Denial of Service attack is orchestrated by multiple systems attacking a single host to render the services unavailable. For a more in-depth explanation please visit US CERT. The DDOS methods used for this attack are not cutting edge or by far anything new. Four different types of DDOS were seen during the attack period:
- Flood to port UDP-80: UDP traffic to port 80 is generally rare and low in volume so detecting this activity at high volumes would suggest suspicious activity is occurring.
- SYN-Flooding to port TCP-80: This type of traffic would be easiest identified by the volume. The packets appeared to be OS-stack-dependent and not "made" by a packet injector or similar program.
- HTTP GET request flood to /: this traffic may look legitimatize except for the volume. HTTP 302 redirects can detect bots as they will not follow the redirect.
- ICMP Echo Request flood and IP protocol 0 flood: these attacks can be source spoofed and rate limited.
The Botnet used for the DDOS attack has been identified as having an estimated 130,000 - 200,000 active bots. The majority of these IPs resolve to South Korean sources from a variety of ISPs in the region. A rough estimate suggests 90-95% of bots are in South Korea with the remaining 5-10% around the world with a few identified in the United States.
The infection point has not fully been agreed on by security experts, however some assumptions can be made. For a botnet to be so geographically centralized in South Korea it is believed the malware must have spread through Korean language sites, emails, or drive-by exploits. This has not been confirmed as of today (July11, 2009).
Traffic
Observing and correctly determining the bandwidth rate of such an attack is difficult. However on average, it is believed that between 50,000 and 200,000 packets per second were transmitting during the attack with bandwidth rates between 25Mbps and 50Mbps. Some sources suggest up to 25Gbps bandwidth rates at peaks. These numbers would be the total traffic hitting each site during the attack periods. Larger commercial sites such as Amazon and Yahoo most likely saw the same traffic and would not have gone down due to their infrastructure built to support such spikes in traffic.
The Damage
Fortunately the US government does not rely on their publicly facing websites to operate and neither does the South Korean government, it is believed. Websites that were targeted and do rely on their publicly facing websites do not seem to have been affected. I did not see or hear Amazon or Yahoo going down. These sites rely on their websites for business and their infrastructure is more than ready to take on a DDOS of this caliber. Sites that were reported down were mostly in South Korea but some US were affected. To name a few the Washington Post and the FTC. Upon further research some of these publicly facing government sites are hosted in smaller data centers with only one ISP providing service. Perhaps this is a wake up call to those entities to get those sites brought up in more reliable data centers.
Analysis and Opinion
Evident by the significant start date of this attack and the sites involved it may be concluded that this attack was against the US Government and South Korean government. Due to the current relation to North Korea it is easy to finger point and blame them, however there is NO evidence that it was planned or orchestrated by North Korea. Sure they tested 6 short range missiles on July 4th to anger the US but that does not mean they are starting some sort of cyberwar. If anything this attack may be considered CyberTerrorism.
Furthermore, security experts are still researching who was behind this attack, how the malware was spread and why it self destructed the way it did. We might never know the answer to some of these questions.
References:
ShadowServer's Steven Adair
HAURI and MaxOverPro.org's Sang-Keun Jang
Ahnlab
If you enjoyed this post follow me on Twitter.
Till next time,
Jorge Orchilles
Comments
One response to “July US and South Korea DDOS Attacks”
Post Comments (Atom)
Post a Comment |
Very interesting post and summary. Thanks!
July 12, 2009 at 9:58 AMPost a Comment