Researcher: Recent DDoS attack originated in UK not North Korea (Update)

by Steve Ragan - Jul 17 2009, 16:56

Update:

Global Digital Broadcast issued a statement that denies they are the source of the master C&C. 

"Our engineers quickly discounted it as coming from a North Korean Government site, as suggested and was tracked back to the source which was on a VPN circuit in Miami," a GDB statement reads.

"As a global delivery platform taking South American content, ingested in Miami and streaming it globally, GDBTV [has] to take anything like this seriously. Our head of development was contacted by Serious Organised Crime Agency who were also expressing the gravitas of the situation...After some investigation it was deemed to be an exploit finder, creating a zombie network DDOS attack, a distributed denial of service. After identifying the VPN circuit that originates at Digital Latin America in Miami, the relevant information was passed to SOCA. The GDBTV network was not breached."

 

Original article:

Acting on a request for help from the Korean Computer Emergency Response Team (KrCERT), Vietnamese security firm Bach Khoa Internetwork Security (Bkis) has made some interesting discoveries that will upset government officials in the U.S. and South Korea. Namely, North Korea isn’t the source of recent DDoS attacks, it's actually a Windows 2003 server in the UK that acted as the controller.

It all started during the July 04 holiday. Internet properties owned by South Korean government agencies and private companies started to slow to a crawl, eventually going offline completely.

At the same time, U.S.-based Internet properties such as the Treasury Department, Department of Transportation, the FTC, and the White House, were targeted by a co-ordinated Distributed Denial of Service (DDoS) attack. During the attacks, which were on and off most of last week, government officials in South Korea and the U.S. blamed the DDoS on North Korea, calling it a state-sanctioned cyberattack.

Bkis, a security firm based in Hanoi, examined the variant of the MyDoom Malware used to infect the systems that were attacking U.S. and South Korean sites and discovered an interesting pattern. The botnet was controlled by eight C&C (Command and Control) severs, which issued the list of domains to flood with junk packets -- duly sending them offline. The URL lists were sent to bots that connected to a C&C every three minutes, where they would access flash.gif, and download new attack orders.

During the analysis of the MyDoom variant, and the link to the eight C&C servers, Bkis discovered one server responsible for controlling everything, a master C&C if you will, and that server is hosted on a 195.90.118.xxx network. According to IP records, the address used by the master server belongs to Global Digital Broadcast in Brighton, which is located in the county of East Sussex in the United Kingdom.

How was it taken over? Research indicates that it is a Windows 2003 box, and considering MyDoom is the major Malware used in the attack, it isn’t beyond belief that it was simply attacked and exploited using any number of methods.

It should be noted that during its research process, Bkis managed to take over two of the eight C&C servers.

“During the past few days, the number of zombies has been estimated to be 50,000 by Symantec and about 20,000 by Government of South Korea. But, by taking control of two C&C servers and analyzing logs on these servers, we count the exact number of zombies that have been querying C&C servers to receive commands. Accordingly, there have been 166,908 zombies from 74 countries around the world that have been used for the attacks,” Bkis reported.

Bkis turned over its research to US-CERT, as well as KrCERT. The information has also been shared with U.S. and South Korean government officials.

The question is, will the research change the minds of the officials who were quick to blame North Korea? Sadly, likely not, as their minds are made up. Some of them are even going so far as to call for a show of force against anyone who would attack the U.S. infrastructure.

The Tech Herald: Have recent cyberstrikes inadvertently kicked off a new Cold War?

Want regular updates from The Tech Herald? Follow us on Twitter.

Interested in a more interactive TTH? Join our Facebook Group.

Around the Web