July 08, 2009

Mass attacks on government, financial sites continue

An ongoing distributed-denial-of-service (DDoS) attack is affecting a number of U.S. and South Korean government websites, along with financial institutions, such as the New York Stock Exchange and NASDAQ sites, as well as various military sites and the Washington Post.

The attack may have started during the July 4 weekend, but seemed to have peaked yesterday, Rick Howard, intelligence director for VeriSign iDefense, told SCMagazineUS.com on Wednesday.

One of the hardest hit government sites was at the Federal Trade Commission, but other U.S. government sites have been able to mitigate the effect.

“Most of the U.S. government sites have handled it without too much of a problem,” Howard said. “But there have been problems on the South Korean side.”

The code itself is not new or particularly sophisticated. It seems to be a variant of the MyDoom worm that first hit in 2004.

“We have a copy of the malicious code that is doing it. It is not that exciting in terms of new and interesting things – it's a middle-of-the-road DDoS attack trojan,” Howard said. “There may not even be a command-and-control server involved – the payload may be delivered by email.”

Some security experts have estimated the number of compromised computers hosting the malware at between 30,000 and 60,000. And the code may bundle a number of different modules.

“The malicious code drops several different components and is composed of many different files,” Luis Corrons, technical director at PandaLabs, told SCMagazineUS.com on Wednesday. “One of the files has a list of URLs to be attacked hard-coded in it -- so the attackers are not dynamically configuring the attack.”

Though many reports claim it is coming from North Korea, it's too soon to pinpoint exactly who is behind it.

“It's not hard to mitigate a DDoS – it's expensive — though not hard to do,” said Howard. “But it is hard to attribute the attack to a specific origin.”

And few clues yet exist to help make a determination, though forensic efforts are ongoing.

“The malware itself does not give any clue as to who is doing this,” Corrons said.

There are a number of theories, however, on where the email bearing the malicious payload physically originated.

“There was a report that ground zero – the place where the emails were launched from -- is somewhere east of Seoul,” Howard said. “But that is purely speculative at this point.”



Related Articles
Related Topics
close

Next Article in News

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.