Jul 14 2009
Korea and US DDoS attacks: The attacking source located in United Kingdom
Bkis, as a member of APCERT, received a request from KrCERT (Korean Computer Emergency Response Team) to investigate the incident that was performing DDoS attacks on websites of South Korea and the US.
We have analyzed the malware pattern that we received from KrCERT and have located the botnet controlled by 8 Command and Control (C&C) servers via controlling code embedded in a file named “flash.gif”. Every 3 minutes, zombies randomly select one of the 8 servers to connect to and to receive orders. Especially, we found a master server located in UK which controls all of the 8 C&C servers to make a series of cyber-attack last week. So the source of the attacks has been identified to be in UK. The existence of master server has never been reported before.
In order to locate the source of the attacks, we have fought against C&C servers and have gained control of 2 in 8 of them. After analyzing the logs of these 2 servers, we discovered the IP address of the master server, which is 195.90.118.xxx. This IP is located in UK. The master server is running on Windows 2003 Server Operating System..
During the past few days, the number of zombies has been estimated to be 50,000 by Symantec and about 20,000 by Government of South Korea. But, by taking control of two C&C servers and analyzing logs on these servers, we count the exact number of zombies that have been querying C&C servers to receive commands. Accordingly, there have been 166,908 zombies from 74 countries around the world that have been used for the attacks.
No |
COUNTRY |
1 |
Korea, Republic of |
2 |
United States |
3 |
China |
4 |
Japan |
5 |
Canada |
6 |
Australia |
7 |
Philippines |
8 |
New Zealand |
9 |
United Kingdom |
10 |
Vietnam |
Top 10 zombies host countries
Having located the attacking source in UK, we believed that it is completely possible to find out the hacker. This of course depends on the US and South Korean governments. We have sent KrCERT and US-CERT the IP address of the attacking source.
Nguyen Minh Duc
Senior Security Researcher / Bkis Security Director
Bkis has sent the detail of research and the information of the master server in UK to US-CERT and KrCERT.
At present, US-CERT and KrCERT are cooperating to investigate the attack source.
[...] said Nguyen Minh Duc, senior security director at Bach Khoa Internetwork Security (Bkis), in a blog posting on the company’s Web site. Bkis says it gained control of two of the eight servers and through this [...]
Hey from the Belgian security researchers.
We have brought down several botnets here this year.
We could transfer listings of IP addresses to our cyberpolice if they are from Belgium.
So they could treat them with the ISP’s in question.
We have seen in the graphics from shadowserver that Belgian sites and pc’s were involved in this attack.
thanx
you give, we clean
you help, we forward
Hi Nguyen Minh Duc
This case is very interesting, but I have an question about Picture 2 which background is black. It looks like an Apache log ,and you found the Master Server in the Apache log which IP is 195.90.118.XXX. How did you differentiate between【Master Server】and【Other Victim (for zombies download Malware)】. If it is not secret . Could you tell me more detail ?!
Thanks for your information!
That server seems to be operated by Global Digital Boadcast, an IPTV company in Brighton, UK. http://en.wikipedia.org/wiki/Global_digital_broadcast
must be a compromised machine.
The owners of this IP address should be taken off line and if the attacks stop then their computer equipment should be seized.
The penalty for these types of attacks should be dealt with harshly and anybody involved should be put in jail.
The amount of time wasted by these attacks should be computed to a fine to be assessed to the law breakers in a court of law.
[...] denial-of-service attacks that started on the July 4 weekend, security firm Bkis said in a blog posting on its Web site on Monday. Bkis said it gained control of two of the servers. The Vietnamese [...]
Update on DDOS: http://jorgeorchilles.blogspot.com/2009/07/update-on-ddos.html
“According to Nguyen Minh Duc’s blog post, the master server that controlled the 8 command and control servers for the botnet responsible for the July 4th DDOS attacks has been identified.”
Coverage since July 4th on DDOS: http://jorgeorchilles.blogspot.com/2009/07/july-us-and-south-korea-ddos-attacks.html
Thanks for the info!
166908 Zombies… ㅡ.ㅡ;
[...] a Vietnam-based security company, stated on its corporate blog, “In order to locate the source of the attacks, we have fought against C&C servers and [...]
[...] that we received” said Nguyen Minh Duc, a director of Vietnamese security company BKIS, in a post on the company’s blog. “We found a master server located in the [...]
This isn’t the full story. The source was traced further back to Miami, Florida, USA, and may go further back still:
http://www.wired.com/threatlevel/2009/07/brits-attack-us/
[...] pattern that we received” said Nguyen Minh Duc, a director of Vietnamese security company BKIS, in a post on the company’s blog. “We found a master server located in the UK.” Investigators said they had discovered new details [...]
[...] denial-of-service attacks that started on the July 4 weekend, security firm Bkis said in a blog posting on its Web site on Monday. Bkis said it gained control of two of the [...]
[...] What a shock, the DDoS attacks probably weren’t from North Korea. I think their entire Internet connectivity is a phone line with an acoustic modem. [...]
[...] at Bkis Security in Hanoi, who reported findings about the British server on their company’s blog, say that the denial-of-service attacks that struck more than three dozen government and commercial [...]
Hi, thanks for this information. But I have a question.
Why did you think that the master server is a real one?
You said there were two requests from the master server in a C&C server’s web
log. But, that’s just all. Just flash.gif and favicon.ico. In my opinion,
if the master server was the master server, it should have done other stuff.
Why the master server needed to get flash.gif? If the master was a real one, it
didn’t need flash.gif.. It should have given some orders or commands to C&C servers
instead of flash.gif.
Thanks.
It turns out that what BKIS did to detect the source is useless. According to the newest news, the “master-server” is located in United States.
[...] that we received” said Nguyen Minh Duc, a director of Vietnamese security company BKIS, in a post on the company’s blog. “We found a master server located in the [...]
[...] passports [*]Microsoft and Firefox vulnerabilities (some unpatched) being exploited in the wild. [*]What a shock, the DDoS attacks probably weren
Tinh thần khoa học chân chính, đạo đức khoa học chân chính, tinh thần hợp tác hỗ trợ quốc tế chân chính, tinh thần sáng tạo tự chủ. BKIS, các bạn có thể ngẩng cao đầu, chúng tôi tự hào về các bạn.
Chúc các bạn gặt hái nhiều thành công hơn nữa.
[...] from Vietnamese firm Bkis Security said on Monday that they had been working with the Korean Computer Emergency Response Team in an [...]
Em rat hoan nghenh anh Quang. Rat mong anh co gang de vuot qua scandan nay.
The proxy you have found is just one from the proxy lists which the hacker used for the attack .
By the way, about your antivirus, it’s good. But the problem is just it takes too much system resources when it starts with Windows (sometimes about >100.000 KB) . It could be so great if you could solve this in the next version.
Thanks.
Thanks for posting about this, I would love to read more about this topic.
Thanks – I think this information is very important.
If you are wondering how you can help with this or future events, please contact us . Also, you can contact other
blog.bkis.com – cool!!!!
Amazing news, thank you!
Nice post — this really hits home for me.
Interesting site, but much advertisments on him. Shall read as subscription, rss.
Great post! Just wanted to let you know you have a new subscriber- me!
I cannot believe this will work!
complex post. simply one detail where I contest with it. I am emailing you in detail.
It sounds like you’re creating problems yourself by trying to solve this issue instead of looking at why their is a problem in the first place.
I rarely comment on blogs but yours I had to stop and say Great Blog!!
Good work! Thank you very much! I always wanted to write in my blog something like that. Can I take part of your post to my blog? Of course, I will add backlink?
Sorry but I don’t share most of these ideas.
Gracious post — this definitely hits home ground for me.
Thanks an eye to the survey! I longing to allege – thanks you instead of this!
As a Newbie, I am always searching online for articles that can help me. Thank you
yeh right.. great post, Thank You
The article is ver good. Write please more
Amiable site room up your passable work.
Hi. This is a super post!
author’s note seemed to me very helpful and changed my outlook on many things.
Article very interesting, I will necessarily add it in the selected works and I will visit this site
You have a very cool blog! Thanks for this review, I found a lot of new and interesting. You are in my bookmarks
Of course, what a great site and informative posts, I will add backlink – bookmark this site? Regards, Reader.
Closely I think that this enter is something which necessary more distinction of your readers.
Thank you for a good story, I really enjoyed your blog. Be sure to give a link to your friends!
oh, hot theard . Hope BKIS can develop on the world :)
I wish not approve on it. I over precise post. Particularly the designation attracted me to be familiar with the unscathed story.
In my opinion you commit an error. Let’s discuss it. Write to me in PM.