The botnet used in the DDoS attacks was "dynamically updated via new malware binaries" and "launched a relentless DDoS for a slightly over a week." The botnet, which was based in South Korea, then “destroyed the machines it was deployed on by overwriting with zeroes and then deleting key data files such as source code, documents and then zeroing-out the Master Boot Record (MBR) to render the computers unbootable”, McAfee explained in a blog.
McAfee concluded that the March 2011 DDoS attack was most likely carried out by the same group that carried out a DDoS attack on South Korean and US sites in July 2009. During that attack, many South Korean sites were taken offline, but the US sites were only slowed down. For the most recent attack, only South Korean sites were attacked, McAfee said.
“The level of sophistication [of the March 2011 attack] dramatically increased. What we saw was excessive use of encryption, obfuscation, building of a highly resilient botnet that would be more difficult to analyze and take down by the defenders of these networks and the South Korean government”, Dmitri Alperovitch, vice president of threat research at McAfee, told Infosecurity.
McAfee explained that “multiple encryption algorithms, such as AES, RC4, and RSA, were used to obfuscate numerous parts of the code and configuration of the attack components to slow down the analysis. Over 40 globally distributed multi-tier command and control servers (USA, Taiwan, Saudi Arabia, Russia and India accounted for over half of all of servers) were used to dynamically update the malware and its configurations in a fashion designed to be highly resilient against takedowns.”
Alperovitch compared the level of sophistication in carrying out a simple DDoS attack to racing a Lamborghini in a go-cart race. The effort took months to prepare and involved a number of people, suggesting it was not the work of amateur hackers, he added.
McAfee’s best guess is that the DDoS attack was orchestrated by the North Korean government to test the capabilities of South Korea – a cyber reconnaissance operation.
“Based on our analysis, we believe that [the North Korean government] is the most likely culprit here. If this was a prank or political act, they brought an awful lot of resources to bear for something that could have been done much cheaper and much easier”, Alperovich said. In addition, the botnet had a built-in self-destruct mechanism so it could not be used after the attack, he added.
“This looks very much like a prepared military operation with a specific objective and mission that could be measured”, he concluded.