Investigation of government DDoS attacks deepens

Share this article:
After much speculation that North Korea was responsible for the cyberattacks against U.S. and South Korean websites, new evidence shows that the attacks trace back to a "master server" in the U.K.

But a cybersecurity expert in the United States warned that before declaring the case closed, it would be wise to consider whether the master server was compromised and controlled by someone else.

Vietnamese security vendor, Bach Khoa Internetwork Security, reported in a blog post on Tuesday that it analyzed a sample of the malware used in the attacks, said to be a variant of the MyDoom worm. The researchers were able to trace the sample, provided by the Korean Computer Emergency Response Team, back to eight command-and-control servers connected to a master server based in the U.K.

By gaining control of two of the eight command-and-control servers, the researchers were able to analyze their logs and find the IP address of the master server they were being controlled by, they said.

“Having located the attacking source in U.K., we believed that it is completely possible to find out the hacker,” Bach Khoa said in its blog post.

But Marcus Sachs, director of the SANS Internet Storm Center, said this does not necessarily mean the attack was launched by someone in the U.K.

“Just because a ‘master' has an IP address registered in the U.K. does not mean that a person in the U.K. is behind it all,” Sachs told in an email Tuesday.

It is possible that whomever is responsible for the attacks is leveraging other compromised machines, located outside of the U.K., to give the master its instructions, Sachs said.

In its analysis, Bach Khoa also found that 166,908 compromised machines from 74 countries were used to launch the attacks. Formerly, cybersecurity researchers believed that up to 60,000 zombies were used in the attack. Most of the offending machines were located in South Korea, the United States and China.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters


More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.