Jul 14 2009

Korea and US DDoS attacks: The attacking source located in United Kingdom

Published by at 12:21 am under Security Research

Bkis, as a member of APCERT, received a request from KrCERT (Korean Computer Emergency Response Team) to investigate the incident that was performing DDoS attacks on websites of South Korea and the US.

We have analyzed the malware pattern that we received from KrCERT and have located the botnet controlled by 8 Command and Control (C&C) servers via controlling code embedded in a file named “flash.gif”. Every 3 minutes, zombies randomly select one of the 8 servers to connect to and to receive orders. Especially, we found a master server located in UK which controls all of the 8 C&C servers to make a series of cyber-attack last week. So the source of the attacks has been identified to be in UK. The existence of master server has never been reported before.

blog_ddos-attack-diagram

In order to locate the source of the attacks, we have fought against C&C servers and have gained control of 2 in 8 of them. After analyzing the logs of these 2 servers, we discovered the IP address of the master server, which is 195.90.118.xxx. This IP is located in UK. The master server is running on Windows 2003 Server Operating System..

blog_ip-attack

During the past few days, the number of zombies has been estimated to be 50,000 by Symantec and about 20,000 by Government of South Korea. But, by taking control of two C&C servers and analyzing logs on these servers, we count the exact number of zombies that have been querying C&C servers to receive commands. Accordingly, there have been 166,908 zombies from 74 countries around the world that have been used for the attacks.

No

COUNTRY

1

Korea, Republic of

2

United States

3

China

4

Japan

5

Canada

6

Australia

7

Philippines

8

New Zealand

9

United Kingdom

10

Vietnam

Top 10 zombies host countries

Having located the attacking source in UK, we believed that it is completely possible to find out the hacker. This of course depends on the US and South Korean governments. We have sent KrCERT and US-CERT the IP address of the attacking source.

Nguyen Minh Duc

Senior Security Researcher / Bkis Security Director

Bkis has sent the detail of research and the information of the master server in UK to US-CERT and KrCERT.

At present, US-CERT and KrCERT are cooperating to investigate the attack source.

53 responses so far

53 Comments to “Korea and US DDoS attacks: The attacking source located in United Kingdom”

  1. # UK, not North Korea, source of DDOS attacks, researcher says - Pinoy Republic - Tahanan ng Astig na Pinoyon 14 Jul 2009 at 1:36 pm

    [...] said Nguyen Minh Duc, senior security director at Bach Khoa Internetwork Security (Bkis), in a blog posting on the company’s Web site. Bkis says it gained control of two of the eight servers and through this [...]

  2. # lenon 14 Jul 2009 at 5:27 pm

    Hey from the Belgian security researchers.
    We have brought down several botnets here this year.
    We could transfer listings of IP addresses to our cyberpolice if they are from Belgium.
    So they could treat them with the ISP’s in question.
    We have seen in the graphics from shadowserver that Belgian sites and pc’s were involved in this attack.

    thanx

    you give, we clean
    you help, we forward

  3. # K.C.on 14 Jul 2009 at 5:38 pm

    Hi Nguyen Minh Duc
    This case is very interesting, but I have an question about Picture 2 which background is black. It looks like an Apache log ,and you found the Master Server in the Apache log which IP is 195.90.118.XXX. How did you differentiate between【Master Server】and【Other Victim (for zombies download Malware)】. If it is not secret . Could you tell me more detail ?!

  4. # Nan Leeon 14 Jul 2009 at 6:22 pm

    Thanks for your information!

  5. # zatoon 14 Jul 2009 at 7:43 pm

    That server seems to be operated by Global Digital Boadcast, an IPTV company in Brighton, UK. http://en.wikipedia.org/wiki/Global_digital_broadcast

    must be a compromised machine.

  6. # ondafritzon 14 Jul 2009 at 9:47 pm

    The owners of this IP address should be taken off line and if the attacks stop then their computer equipment should be seized.
    The penalty for these types of attacks should be dealt with harshly and anybody involved should be put in jail.
    The amount of time wasted by these attacks should be computed to a fine to be assessed to the law breakers in a court of law.

  7. # [CNET] Researchers: Attacks on U.S., Korea sites came from U.K. - Overclock.net - Overclocking.neton 15 Jul 2009 at 12:04 am

    [...] denial-of-service attacks that started on the July 4 weekend, security firm Bkis said in a blog posting on its Web site on Monday. Bkis said it gained control of two of the servers. The Vietnamese [...]

  8. # Jorge Orchilleson 15 Jul 2009 at 1:13 am

    Update on DDOS: http://jorgeorchilles.blogspot.com/2009/07/update-on-ddos.html

    “According to Nguyen Minh Duc’s blog post, the master server that controlled the 8 command and control servers for the botnet responsible for the July 4th DDOS attacks has been identified.”

    Coverage since July 4th on DDOS: http://jorgeorchilles.blogspot.com/2009/07/july-us-and-south-korea-ddos-attacks.html

    Thanks for the info!

  9. # Ryung Choion 15 Jul 2009 at 12:49 pm

    166908 Zombies… ㅡ.ㅡ;

  10. # U.S. And S. Korea Attacks: “Source Located In United Kingdom” | rapid-DEV.neton 15 Jul 2009 at 2:26 pm

    [...] a Vietnam-based security company, stated on its corporate blog, “In order to locate the source of the attacks, we have fought against C&C servers and [...]

  11. # Experts: Cyberstrikes originated from Britain, not North Korea - Politic News, Videoson 15 Jul 2009 at 5:16 pm

    [...] that we received” said Nguyen Minh Duc, a director of Vietnamese security company BKIS, in a post on the company’s blog. “We found a master server located in the [...]

  12. # Keith Bellon 15 Jul 2009 at 7:13 pm

    This isn’t the full story. The source was traced further back to Miami, Florida, USA, and may go further back still:

    http://www.wired.com/threatlevel/2009/07/brits-attack-us/

  13. # U.S. steps up effort on digital defenses - Page 2 - Algeria.com Discussion Forumon 15 Jul 2009 at 8:50 pm

    [...] pattern that we received” said Nguyen Minh Duc, a director of Vietnamese security company BKIS, in a post on the company’s blog. “We found a master server located in the UK.” Investigators said they had discovered new details [...]

  14. # The America 20xy News Service » Blog Archive » Researchers: Attacks on U.S., Korea sites came from U.K.on 15 Jul 2009 at 9:38 pm

    [...] denial-of-service attacks that started on the July 4 weekend, security firm Bkis said in a blog posting on its Web site on Monday. Bkis said it gained control of two of the [...]

  15. # Network Security Blog » The Network Security Podcast, Episode 158on 15 Jul 2009 at 11:16 pm

    [...] What a shock, the DDoS attacks probably weren’t from North Korea. I think their entire Internet connectivity is a phone line with an acoustic modem. [...]

  16. # Cyber Attacks Traced to the U.S., Britain — Treadstone Security Groupon 15 Jul 2009 at 11:28 pm

    [...] at Bkis Security in Hanoi, who reported findings about the British server on their company’s blog, say that the denial-of-service attacks that struck more than three dozen government and commercial [...]

  17. # hack_wifion 16 Jul 2009 at 9:44 am

    Hi, thanks for this information. But I have a question.

    Why did you think that the master server is a real one?
    You said there were two requests from the master server in a C&C server’s web
    log. But, that’s just all. Just flash.gif and favicon.ico. In my opinion,
    if the master server was the master server, it should have done other stuff.

    Why the master server needed to get flash.gif? If the master was a real one, it
    didn’t need flash.gif.. It should have given some orders or commands to C&C servers
    instead of flash.gif.

    Thanks.

  18. # Dark Nighton 16 Jul 2009 at 10:22 am

    It turns out that what BKIS did to detect the source is useless. According to the newest news, the “master-server” is located in United States.

  19. # Experts: Cyberstrikes originated from Britain, not North Korea | War On You: Breaking Alternative Newson 16 Jul 2009 at 3:00 pm

    [...] that we received” said Nguyen Minh Duc, a director of Vietnamese security company BKIS, in a post on the company’s blog. “We found a master server located in the [...]

  20. # The Network Security Podcast, Episode 158 -on 16 Jul 2009 at 10:58 pm

    [...] passports [*]Microsoft and Firefox vulnerabilities (some unpatched) being exploited in the wild. [*]What a shock, the DDoS attacks probably weren

  21. # Viet Hungon 20 Jul 2009 at 9:21 am

    Tinh thần khoa học chân chính, đạo đức khoa học chân chính, tinh thần hợp tác hỗ trợ quốc tế chân chính, tinh thần sáng tạo tự chủ. BKIS, các bạn có thể ngẩng cao đầu, chúng tôi tự hào về các bạn.

    Chúc các bạn gặt hái nhiều thành công hơn nữa.

  22. # DDoS Attack against US and South Korea goverment websites | Irish IT Security Blogon 21 Jul 2009 at 6:19 pm

    [...] from Vietnamese firm Bkis Security said on Monday that they had been working with the Korean Computer Emergency Response Team in an [...]

  23. # okon 22 Jul 2009 at 1:13 am

    Em rat hoan nghenh anh Quang. Rat mong anh co gang de vuot qua scandan nay.

  24. # George Samandezon 24 Jul 2009 at 8:18 am

    The proxy you have found is just one from the proxy lists which the hacker used for the attack .

    By the way, about your antivirus, it’s good. But the problem is just it takes too much system resources when it starts with Windows (sometimes about >100.000 KB) . It could be so great if you could solve this in the next version.

    Thanks.

  25. # Paulon 24 Jul 2009 at 4:53 pm

    Thanks for posting about this, I would love to read more about this topic.

  26. # HungPhamon 27 Jul 2009 at 5:36 pm

    Thanks – I think this information is very important.

  27. # MishaPowerautoon 29 Jul 2009 at 2:02 pm

    If you are wondering how you can help with this or future events, please contact us . Also, you can contact other
    blog.bkis.com – cool!!!!

  28. # SergeyNikolaevon 30 Jul 2009 at 5:57 pm

    Amazing news, thank you!

  29. # Zashkaseron 06 Aug 2009 at 4:07 am

    Nice post — this really hits home for me.

  30. # Sdanektiron 06 Aug 2009 at 11:02 pm

    Interesting site, but much advertisments on him. Shall read as subscription, rss.

  31. # VitalikGromovsson 08 Aug 2009 at 9:46 pm

    Great post! Just wanted to let you know you have a new subscriber- me!

  32. # Make Moneyon 11 Aug 2009 at 10:12 pm

    I cannot believe this will work!

  33. # Debt Settlement Programon 22 Aug 2009 at 2:29 pm

    complex post. simply one detail where I contest with it. I am emailing you in detail.

  34. # buyvigrxon 12 Sep 2009 at 6:17 am

    It sounds like you’re creating problems yourself by trying to solve this issue instead of looking at why their is a problem in the first place.

  35. # doctorbimlon 25 Sep 2009 at 1:45 am

    I rarely comment on blogs but yours I had to stop and say Great Blog!!

  36. # blondinkayaon 26 Sep 2009 at 8:35 am

    Good work! Thank you very much! I always wanted to write in my blog something like that. Can I take part of your post to my blog? Of course, I will add backlink?

  37. # yapapanyatton 27 Sep 2009 at 8:37 pm

    Sorry but I don’t share most of these ideas.

  38. # Fumpaninnakon 30 Sep 2009 at 6:55 am

    Gracious post — this definitely hits home ground for me.

  39. # Fumpaninnakon 01 Oct 2009 at 5:58 am

    Thanks an eye to the survey! I longing to allege – thanks you instead of this!

  40. # buyvigrxon 08 Oct 2009 at 1:54 am

    As a Newbie, I am always searching online for articles that can help me. Thank you

  41. # Buy Generic Viagraon 12 Oct 2009 at 8:36 am

    yeh right.. great post, Thank You

  42. # Fumpaninnakon 02 Nov 2009 at 5:35 am

    The article is ver good. Write please more

  43. # debt settlementon 10 Nov 2009 at 3:35 am

    Amiable site room up your passable work.

  44. # levitra_online_buyon 23 Nov 2009 at 5:54 am

    Hi. This is a super post!

  45. # Paydaymisteron 02 Dec 2009 at 10:57 pm

    author’s note seemed to me very helpful and changed my outlook on many things.

  46. # Gindoooeon 03 Dec 2009 at 8:20 am

    Article very interesting, I will necessarily add it in the selected works and I will visit this site

  47. # Antiaon 05 Dec 2009 at 6:33 pm

    You have a very cool blog! Thanks for this review, I found a lot of new and interesting. You are in my bookmarks

  48. # viagraon 19 Dec 2009 at 2:55 pm

    Of course, what a great site and informative posts, I will add backlink – bookmark this site? Regards, Reader.

  49. # Vigrxon 26 Dec 2009 at 2:52 pm

    Closely I think that this enter is something which necessary more distinction of your readers.

  50. # Paydaymenon 28 Dec 2009 at 2:24 am

    Thank you for a good story, I really enjoyed your blog. Be sure to give a link to your friends!

  51. # xyzon 07 Jan 2010 at 10:39 am

    oh, hot theard . Hope BKIS can develop on the world :)

  52. # Generic Viagraon 09 Jan 2010 at 1:55 am

    I wish not approve on it. I over precise post. Particularly the designation attracted me to be familiar with the unscathed story.

  53. # Каталог статейon 02 Feb 2010 at 7:34 pm

    In my opinion you commit an error. Let’s discuss it. Write to me in PM.

Trackback URI | Comments RSS

Leave a Reply

CAPTCHA Image
*