Strange ‘DDoS attack’?

2011.03.15 글쓴이 youknowit

3.3 (3 March 2011) DDoS and 7.7 (7 July 2009) DDoS attacks have been used as a basis to emphasise the need for the so-called “Zombie PC Prevention Act“, which is being enthusiastically promoted by the Korea Communications Commission. However, these DDoS attacks have some strange features.

To launch a DDoS attack, the attacker must amass a large number of zombie PCs. The attacker would have to put in some effort at this stage of the process. This is because it is not always easy to disseminate botnets (malware) without getting caught. It is a particularly risky stage of the operation. Once a herd of infected PCs have been obtained, it is important to maintain them. If users realise that their PC is infected with malicious code, they will run anti-virus software to remove the malware. If this happens, it will reduce the strength of the attack or make the attack impossible. It is therefore important to keep the users unaware that their PCs have been infected. It is unusual for a DDoS attacker to take the trouble to infect all those PCs only to launch one time attack and fold away everything. The attacker would wish to keep the herd and send commands to attack different targets as and when needed. It is even the case that attackers trade infected PCs.

To damage the boot sector of the infected PC to make it unusable would be a ‘suicidal’ act for the attacker. It is an act of killing the “troops” which he/she took pains to recruit. The so-called “self-destruction” cannot destroy the evidence either. Rather, it is an act designed to announce loud and clear that “this PC was attacked” for everyone to see. Damaging the boot sector does not erase data in the rest of the hard disk. In the case of 3.3 DDoS, files with certain extensions (*.docx, *.ppt, *.xls, *.zip, etc.) were also overwritten. If you have an unbootable hard drive where files of certain extensions have all been irretrievably damaged, what better ‘evidence of attack’ do you need? In other words, this is an act to create an atmosphere of fear and attract attention; it is not an act done by an attacker who is serious about launching DDoS attacks.

If the attacker was indeed keen to destroy evidence or remove the malware to make it more difficult for whitehats to collect the sample for analysis, a batch file which deletes the incriminating files and then quietly deletes itself would have done the trick. There is no reason to damage the boot sector or user’s personal files such as *.docx, *.ppt, etc.

DDoS attacks usually do not scare users. The attack does not cause user’s PC to stop; it makes the targeted website become unstable. The users who must connect to that particular site will certainly be inconvenienced. Users will be annoyed but they do not become panic-stricken because of the annoyance. For example, DDoS attacks were made against Visa and Paypal who cut off donations to Wikileaks. But users who did not have to use the services of Visa or Paypal at that particular moment were unaffected (even if their own PCs were being mobilized in the attack) and they have no reason to be filled with fear.

However, 7.7 DDoS or 3.3 DDoS attack was designed to scare users by attacking user’s own PC (this verges on a ‘self-flagellation drama’ as far as DDoS attack goes). Of course, this ‘security scare’ was further aggravated by media reports which vastly exaggerated the risk of infection by suggesting that everyone’s PC is somehow infected.

In the end, it is clear that 7.7 DDoS and 3.3 DDoS attacks had the effect of educating the public to rush to download and install anti-virus software out of fear. But it was not an attack done by someone who has the intent of launching DDoS attacks in a sustained manner. However, it is difficult to know the actual number of PCs whose harddisk was damaged by the malware used in the attack. There is a report that the number of PCs which have been damaged by the faulty anti-virus software distributed by AhnLab (the biggest security solution provider in Korea who accidentally distributed a vaccine update on 10 March 2011 which damaged thousands of users’ PC) far exceeds the number of PCs allegedly damaged by the 3.3 DDoS malware.

Of course, elderly gentlemen who claim that all this havoc “is presumed to have been caused by North Korea” are still at the core of the government. It would be wonderful if they hold a press conference showing that the code clearly contains “number 1″ in the Korean language (“1번”), and therefore it must be by North Koreans… [Non-Koreans would not get the joke, though.]

Categories: 보안 | 5 comments  오픈웹 구독 메일로 받기

5 Pingbacks/Trackbacks