The investigation into the attacks against high-profile Web sites in South Korea and the U.S. is a winding, twisty electronic goose chase that may not result in a definitive conclusion on the identity of the attackers.
Computer security experts disagree over the skill level of the DDOS (distributed denial-of-service) attacks, which over the course of a few days in early July caused problems for some of the Web sites targeted, including South Korean banks, U.S. government agencies and media outlets.
The DDOS attack was executed by a botnet, or a group of computers infected with malicious software controlled by a hacker. That malware was programmed to attack the Web sites by bombarding them with page requests that far exceed normal visitor traffic. As a result, some of the weaker sites buckled.
While there are hundreds of DDOS attacks that occur every day, the one from last month has interesting characteristics. First, it was carried out using a botnet of up to an estimated 180,000 computers that was almost entirely located within South Korea.
“It’s very rare to see a botnet of that size so localized,” said Steven Adair of The Shadowserver Foundation, a cybercrime watchdog group. “Large-size botnets do usually take time to build up and a lot of effort from attackers.”
And basic questions appear to be unanswered, such as how the attackers were able to infect such a large number of computers in South Korea with the specific code that commandeered the computers to attack a list of Web sites.
The investigation has geopolitical ramifications. South Korea’s National Intelligence Service reportedly told the country’s lawmakers early last month that it suspected North Korea was involved. Despite no definitive public evidence linking North Korea to the DDOS attacks, the country’s hardline demeanor makes it a convenient actor to blame given its prickly relations with the U.S. and South Korea.
The botnet, which is now inactive, appeared to be custom-built for the attacks. Many times people who want to knock a Web site offline will rent time on a botnet from its controller, known as a botnet herder, paying a small fee per machine, such as US$.20. Botnets can also be used for Internet activity, such as sending spam.
Analysts do know that the computers comprising the botnet had been infected with a variation of MyDoom, a piece of malicious software that repeatedly mails itself out to other computers once it has infected a PC. MyDoom debuted with devastating consequences in 2004, becoming the fastest spreading e-mail worm in history. It is now routinely cleansed from PCs that are running antivirus software, though many computers don’t have such protective software installed.
The MyDoom code has been called amateurish, but it was nonetheless effective. The command and control structure for delivering instructions to computers infected with MyDoom used eight main servers that were scattered around the world. But there also was a labyrinthine group of subordinate command and control servers that made it more difficult to trace.
“It is difficult to find the real attacker,” said Sang-keun Jang, a virus analyst and security engineer with the security company Hauri, based in Seoul.
IP (Internet Protocol) addresses — which at most can identify approximately where a computer is plugged in on a network but not its precise location or who is operating the computer — only give investigators so much information to go on. Open Wi-Fi hotspots can allow an attacker to change IP addresses frequently, said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, a nonprofit research institute.
“Anonymous attacks are going to be a fact of life,” Borg said. “That has big policy implications. If you can’t attribute quickly and with confidence, then most strategies based on deterrence are no longer viable. There’s a big revolution that is already under way and needs to be carried out in our defense thinking.”
For the South Korea-U.S. DDOS attacks, one security company is taking the approach of following the money. Many DDOS attacks are actually paid transactions, and where there is money, there is some trail.
“Going after IP addresses is not really helpful,” said Max Becker, CTO of Ultrascan Knowledge Process Outsourcing, a subsidiary of fraud investigation firm Ultrascan. “What we are trying to do is go after the people who set up and pay for these kinds of attacks.”
Ultrascan has a network of informants who are closed to organized criminal gangs in Asia, many of which are involved in cybercrime, said Frank Engelsman, an investigator with Ultrascan based in the Netherlands. One question is whether it could be proved a criminal group had been paid by North Korea to carry out the attacks, Engelsman said.
That could take a lot of investigative work. But it may be easier than that.
Cybercriminals make mistakes, such as earlier this year when researchers uncovered a global spying network called “GhostNet” that infected computers belonging to Tibetan nongovernmental organizations, the private office of the Dalai Lama and embassies of more than a dozen countries. A Google search by researcher Nart Villeneuve turned up some of the most damning evidence — an unencrypted server indexed by the search engine.
From spelling mistakes, to e-mail addresses to coding errors, attackers can leave clues that could turn a cold trail hot.
“You know where the mistakes are likely to be made,” said Steve Santorelli, director of global outreach for Team Cymru, a nonprofit Internet security research firm. “You can turn over the right rocks quickly.”
And Santorelli added: “Google doesn’t forget anything.”