An ongoing distributed-denial-of-service (DDoS) attack is affecting a number of U.S. and South Korean government websites, along with financial institutions, such as the New York Stock Exchange and NASDAQ sites, as well as various military sites and the Washington Post.
The attack may have started during the July 4 weekend, but seemed to have peaked yesterday, Rick Howard, intelligence director for VeriSign iDefense, told SCMagazineUS.com on Wednesday.
One of the hardest hit government sites was at the Federal Trade Commission, but other U.S. government sites have been able to mitigate the effect.
“Most of the U.S. government sites have handled it without too much of a problem,” Howard said. “But there have been problems on the South Korean side.”
The code itself is not new or particularly sophisticated. It seems to be a variant of the MyDoom worm that first hit in 2004.
“We have a copy of the malicious code that is doing it. It is not that exciting in terms of new and interesting things – it's a middle-of-the-road DDoS attack trojan,” Howard said. “There may not even be a command-and-control server involved – the payload may be delivered by email.”
Some security experts have estimated the number of compromised computers hosting the malware at between 30,000 and 60,000. And the code may bundle a number of different modules.
“The malicious code drops several different components and is composed of many different files,” Luis Corrons, technical director at PandaLabs, told SCMagazineUS.com on Wednesday. “One of the files has a list of URLs to be attacked hard-coded in it -- so the attackers are not dynamically configuring the attack.”
Though many reports claim it is coming from North Korea, it's too soon to pinpoint exactly who is behind it.
“It's not hard to mitigate a DDoS – it's expensive — though not hard to do,” said Howard. “But it is hard to attribute the attack to a specific origin.”
And few clues yet exist to help make a determination, though forensic efforts are ongoing.
“The malware itself does not give any clue as to who is doing this,” Corrons said.
There are a number of theories, however, on where the email bearing the malicious payload physically originated.
“There was a report that ground zero – the place where the emails were launched from -- is somewhere east of Seoul,” Howard said. “But that is purely speculative at this point.”