Bots used in South Korean attacks begin self-destructing

July 10th, 2009

korea-attacksx31

The cyber attacks that continue to cut off access to dozens of government and commercial web sites in the U.S. and South Korea has taken a bizarre twist.

Some of the PCs used to carry out attacks on Thursday (July 9th)  were freshly botted machines. A botmaster took control of them,   probably by tricking the users into clicking on bad URLs sent via email spam, says Vincent Weafer, vice president of Symantec Security Response.  The botmaster next sent two sets of instructions — the likes of which Weafer has never seen.

The first set of instructions were routine. They called for the fresh bot to send nuisance requests to a list of  web sites, mostly in South Korea, as part of a distributed denial of service, or dDos, attack to shut down the targeted sites. But the second set of instructions, set to activate today ( July 10),  was downright bizarre. They triggered an elaborate sequence to erase all work files associated with office, business and development applications, and to subsequently  modify the Master Boot Record so as to render the PC inoperable the next time the user reboots.

A first: self-destructing bots!

Symantec found a few hundred examples of this in the wild and estimates that several thousand botted PCs, or perhaps more, could have this infection, which is a variant of a Trojan program, called Dozer.  What that means is that some of the botted PCs carrying out the dDos attacks against South Korean sites this week subsequently began to wipe out work files — and ultimately self destruct!

Brainstorming with LastWatchdog, Weafer could not come up with a plausible scenario explaining the motivation for this illogical, destructive attack.

Why go through the trouble of commandeering control of a PC, use it for a simple dDos attack, and then cripple it? Any botmaster worth his salt would simply put the bot to sleep and call it up again later to attack other sites, spread spam, trigger scareware promotions or do other profitable criminal activities.

And why go through the trouble of erasing all work-related files? Most cyber criminals who distribute programs like Dozer to corrupt  work files do so for the singular purpose of extorting payments from the victim;  in exchange a cash payment the attacker will restore access to the files. But there is no ransom request involved here. Indeed, as soon as the user tries to reboot, he actually destroys the master reboot program.

Braggart, hacktivist  or cyber-warrior-in-training?

Could this attacker be a throwback to hacking for bragging rights or to make a political statement, or both?

“It makes no sense,” says Weafer. “Why would you clean out the work files and then destroy master reboot? There is no financial or logical reason beyond simply making a statement.”

LastWatchdog wonders if this might be the work of a novice nation-state cyber-warrior-in-training,  on a dry run to get familiar with cyber attack tools. It certainly adds a new wrinkle to the otherwise straight-forward, headline-grabbing  dDos attacks that began on July 4th. U.S. Web sites struck included those of  the White House, Pentagon, Treasury Department, the Nasdaq stock exchange, and Brian Kreb’s high-visibility Security Fix blog.

korean_missilesThat initial assault ensued just a few days after North Korea belligerently launched test missiles into the Pacific Ocean. A second wave hit Tuesday, and a third wave hit Thursday mostly against South Korean websites, reinforcing allegations the North Korean, or its sympathizers, were behind the attacks.

“This was definitely a reason to sit up and take notice that the bad actors have control of massive computing power and could launch other more damaging or sophisticated attacks in the future,” Patricia Titus, Chief Information Security Officer, Unisys Federal Systems, told LastWatchdog.

Rick Caccia, vice president of product marketing at ArcSight observes: “The key lesson is that organizations’ use of the internet for business has outstripped their ability to monitor what’s happening . . . the incentive for attack is high and the attack surface is large, larger than most firms’ ability to watch it.

Triumfant CEO John Prisco said the attack was carried out with botted PCs infected using a variant of the well known email virus MyDoom.  Anyone who has read this chapter of Zero Day Threat ,  will recall that MyDoom has been around since 2004, when it clashed with Sven Jaschan’s  do-good virus, Netsky, and milestone worm, Sasser.

john-priscoPrisco says someone has crafted yet another variant of MyDoom that has been able to evade detection by most antivirus filters and amass fresh bots to conduct the dDos bombardments.

“Bad guys will always have the edge on any software that requires previous knowledge of an attack to detect it as malicious,” says Prisco. “Today more than ever companies need to take additional steps, tightening policies and adding new technologies, to catch the threats their existing security tools are allowing to get through.”

Symantec’s Weafer agrees that more can always be done to prevent botmasters from getting control of fresh PCs, in the first place, to use as bot weapons. He adds that companies need to also pay closer attention to Access Control Lists, or ACL, which track the ebb and flow of Internet traffic — good and bad –  to and from IT systems.

Photo: Officer shows harddrive of a bot used in dDos attacks

–Byron Acohido