McAfee researchers analyzed the botnet that launched a 10-day DDoS attack that paralyzed South Korean Websites in March and found it highly sophisticated, resilient and destructive.
North Korea or its
sympathizers were behind the cyber-attacks that paralyzed a handful of South
Korean Websites, including a United States military site earlier this year,
according to McAfee.
The malware behind the
distributed denial of service attacks that crippled South Korean government
sites were highly sophisticated and had numerous capabilities designed to make
it stealthy and resilient, according to an in-depth
analysis released by McAfee
McAfee researchers worked
with representatives from the South Korean and U.S. governments to complete the
analysis, which included details on how the attacks were carried out and why
they were so difficult to defend against.
The attack began March 4
when thousands of computers took part in a distributed denial of service attack
against 14 Websites in South Korea, including government agencies, prominent
businesses and U.S. Forces Korea. The attacks lasted 10 days, after which the
malware was designed to self-destruct, according to McAfee.
Considering the botnet was
, it was "unusually destructive," Georg
, a McAfee security researcher, wrote on the company's blog.
"In fact, it was analogous to bringing a Lamborghini to a go-cart
race," Wicherski said.
The botnet, based in South
Korea, used multiple encryption algorithms, including AES, RS4 and RSA, to
obfuscate numerous parts of the code and configuration, making analysis
challenging, according to Wicherski. Over 40 globally distributed
command-and-control servers in countries such as the U.S., Taiwan, Saudi
Arabia, Russia and India, dynamically updated infected machines in the botnet
with new malware binaries. The botnet had likely infected the machines earlier
with malware, which had lain dormant until the instructions were issued to
launch the DDoS attack, according to McAfee's analysis.
After the attack ended, the
malware deleted and overwrote key files such as the source code and documents
before corrupting the master boot record of the system it was installed on,
rendering the machine unbootable.
"The level of
encryption and obfuscation at all layers of the malware and its distribution
method, as well as the quick follow-on destruction of data and machines,
indicate that one of the key objectives was to impede rapid analysis and
remediation by the Korean authorities," Wicherski said.
McAfee researchers compared
the incident with a similar attack 20 months earlier, on July 4, 2009, against
Korean and U.S. Websites
. The latest attack was "dramatically"
more sophisticated, Wicherski said. The attackers clearly learned from the
earlier incident, as 14 of the South Korean targets remained the same, but all
the U.S.-based sites, including the White House, State Department and the
Federal Trade Commission, were dropped. Wicherski said there was a "95
percent chance" that the same group behind the 2009 attacks committed this
"It was also clear from
our analysis of the code that multiple individuals who may not have been in
close coordination were responsible for developing its various parts,"
The attacks were likely designed
to test South Korea's cyber-defense and response, and may have been "an
armed cyber-reconnaissance operation," Wicherski said. The attackers,
whether they are part of the North Korean military as the South Korean
government claimed or its sympathizers, are likely testing the defenses and
reaction time of the government and civilian networks to a well-organized
attack, Wicherski concluded.
McAfee acknowledged there
was no clear proof that North Korea was behind the attacks.