Image via Wikipedia

Is North Korea pwning teh intertubes?

According to Associated Press reports here and here, both US Federal websites and South Korean governmental websites are undergoing constant denial of service attacks, which has effectively removed these sites from the Internet. Affected are the websites for the US Treasury Dept, Federal Trade Commission and Transportation Department.

Further, South Korea reports the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, Korea Exchange Bank and top Internet portal Naver have undergone DOS attacks for the same period.

The attacks have been sustained over three days, which is unusual for this kind of internet attack. Network World reports the list of IP addresses sending out bogus traffic numbers 50,000 and according to a quoted security expert is using 10-20 GB of bandwidth per second, or ten times greater an amount than the average DDOS attack.

Although there is no evidence at this time of the attack’s source, the seemingly simultaneous targeting of US and South Korean sites brings to mind the common political enemy of both countries, North Korea. Even though Internet infrastructure in that country is poor, mounting a DDOS attack using a botnet does not use local bandwidth and doesn’t need widespread local infrastructure.

In a denial-of-service (DOS) attack, a website is targeted with millions of false requests for web pages until the targeted website can no longer respond to legitimate requests for pages, effectively removing that website from service. A plain DOS attack has a single vector – that is, the fake traffic comes from a single or small range of IP addresses, and as such can be stopped by the targeted web site’s owner blocking all requests that come from the offending IP addresses.

But the three-day length of the attacks strongly suggests that the attacks are in fact distributed DOS (DDOS) attacks, from which there is no effective defense. Under a DDOS attack, the false traffic requests come from hundreds or thousands of machines located physically all over the world. Due to the high number of machines that are the source of the false requests, blocking all the IP addresses to stem the flow of bogus traffic becomes nearly impossible.

Often, these machines comprise a botnet, a name given to an ad hoc network of machines – personal, work, school – that have had their own security compromised, and who follow instructions from the party that compromised the security in the first place.

Large botnets capable of sustained DDOS attacks have been a reality since ever since huge numbers of consumer operating system machines around the world such as those running Microsoft Windows have been left attached to the Internet full-time on DSL or cable modem. An attacker can compromise the security of such a machine and leave upon it a “bot” process, which is software that quietly and invisibly waits for instructions from the controller of the botnet.

Botnets have been sold on the black market, used in DDOS attacks, used to spread worms and viruses and remain a real feature of the Internet that leverages consumer ignorance and the Internet technical architecture into a potentially devastating weapon that threatens whatever sites it wants whenever it wants.

UPDATE 1

A post at Comodo.com identifies a targeted host list as well as the Windows malware that is used in the botnet attack: Additionally, the poster says the IP addresses that the attacks are coming from are located inside China.

DDOS attack files. filename: msiexec2.exe

size:33,841 bytes

When msiexec2.exe being excuted, it creates ‘uregvs.nis’ file.

There are many target addresses inside of msiexec2.exe code. Following files attack those web sites. filename:perfvwr.dll

size: 65,536 bytes filename: wmiconf.dll

size: 67,072 bytes some evidences about this attack. 1. attacker’s IPs came from China.

2. Using Botnet.

3. Using Zombie PC.

4. spreaded by internet.

5. it changes it’s code automatically.

6. addresses can be changed by attackers. It has following Target Addresses.

Following addresses are related with South Korea gov and USA gov.

The attacker’s IPs came from China. [Target addresses]

Some of websites still can’t be connected or slow. <Korea>

banking.nonghyup.com – bank

blog.naver.com -portal

ebank.keb.co.kr – bank

ezbank.shinhan.com -bank

mail.naver.com -mail service

www.assembly.go.kr -gov

www.auction.co.kr

www.chosun.com -journal

www.hannara.or.kr -a political party

www.mnd.go.kr -gov

www.mofat.go.kr -gov

www.president.go.kr -gov

www.usfk.mil -US military website in korea <USA>

finance.yahoo.com -portal

travel.state.gov -gov

www.amazon.com

www.dhs.gov -gov

www.dot.gov -gov

www.faa.gov -gov

www.ftc.gov -gov

www.nasdaq.com -stocks

www.nsa.gov -gov

www.nyse.com -gov

www.state.gov -gov

www.usbank.com -bank

www.usps.gov -US postal service

www.ustreas.gov -gov

www.voa.gov -voice of america

www.voanews.com

www.whitehouse.gov -gov

www.yahoo.com -portal

www.washingtonpost.com -journal

www.usauctionslive.com

www.defenselink.mil -military

www.marketwatch.com -stocks

www.site-by-site.com