[Infowarrior] - Lazy Hacker and Little Worm Set Off Cyberwar Frenzy

Richard Forno rforno at infowarrior.org
Thu Jul 9 00:12:05 UTC 2009 

Threat Level Privacy, Crime and Security Online
Lazy Hacker and Little Worm Set Off Cyberwar Frenzy
	• By Kim Zetter
	• July 8, 2009  |
	• 6:26 pm  |

http://www.wired.com/threatlevel/2009/07/mydoom/
Talk of cyberwar is in the air after more than two dozen high-level  
websites in the United States and South Korea were hit by denial-of- 
service attacks this week. But cooler heads are pointing to a pilfered  
five-year-old worm as the source of the traffic, under control of an  
unsophisticated hacker who apparently did little to bolster his  
borrowed code against detection.

Nonetheless, the attacks have launched a thousand headlines (or  
thereabouts) and helped to throw kindling on some long-standing  
international political flames — with one sworn enemy blaming another  
for the aggression.

Welcome to the New World Order of cybersecurity.

As reported by numerous media outlets this week, websites belonging to  
the White House, Department of Homeland Security, U.S. Secret Service,  
National Security Agency, Federal Trade Commission, Department of  
Defense and the State Department, as well as sites for the New York  
Stock Exchange and Nasdaq were hit by denial-of-service attacks over  
the July 4th holiday weekend. The Washington Post website was also  
reportedly affected by the attacks, launched by a botnet of more than  
50,000 computers in several countries (mostly China, South Korea and  
Japan, according to Whois records) controlled by the hacker.

Then on Tuesday, at least 11 sites in South Korea, including sites for  
the Ministry of Defense and the presidential Blue House, were also  
targeted, leading the Associated Press to publish a story prominently  
quoting anonymous South Korean intelligence officials blaming the  
attacks on North Korea.

Security experts who examined code used in the attack say it appears  
to have been delivered to machines through the MyDoom worm, a piece of  
malware first discovered in January 2004 and appearing in numerous  
variants since. The Mytob virus might have been used, as well.

Both programs infect PCs running various versions of the Windows  
operating system. MyDoom is delivered through an infected e-mail  
attachment and was spread through the Kazaa file-sharing network when  
it first came out. Once a user clicks on the attachment, the worm  
roots through the victim’s e-mail contact list and mails itself to  
everyone on the list. The initial malware in 2004 was programmed to  
launch a denial-of-service attack against a site for the SCO Group,  
which had filed an intellectual property suit against IBM over its  
alleged use of Linux code. The attack was programmed to launch  
February 1, 2004 and end February 12, sending a request to the website  
every millisecond. MyDoom was considered the fastest-spreading worm at  
the time.

In the recent attack, experts say the malware used no sophisticated  
techniques to evade detection by anti-virus software and doesn’t  
appear to have been written by someone experienced in coding malware.  
The author’s use of a pre-written worm to deliver the code also  
suggests the attacker probably wasn’t thinking of a long-term attack.

“The fact that it’s using older threats isn’t a terribly stealthy  
attack,” says Dean Turner, director of Symantec’s Global Intelligence  
Network. “And the fact that it’s re-using code could indicate that  
somebody put it together in a hurry or that, as with most DDoS  
attacks, their purpose is mostly nuisance. It didn’t require a degree  
in rocket science to pull that stuff together.”

Although he acknowledges that, given the length of time this attack  
has continued, it’s “pretty significant.”

Joe Stewart, a security researcher at SecureWorks says the code he  
examined, which was written in Visual C++, was compiled on July 3, two  
days before the first attacks. Although Stewart says analysis of the  
attack is still in its early stages, he concurs that the attacker’s  
motivation was fairly routine.

“Usually you see a DDoS attack against one or two sites and it will be  
for one of two reasons — they have some beef with those sites or  
they’re trying to extort money from those sites,” he says. “To just  
attack a wide array of government sites like this, especially high- 
profile, just suggests that maybe the entire point is just to get  
attention to make some headlines rather than to actually do any kind  
of damage.”

Denial-of-service attacks are one of the least sophisticated kinds of  
attacks a hacker can launch and have been around for nearly as long as  
e-commerce. But their strength and reach has increased since the  
advent of botnets — where hackers take control of thousands of  
machines by getting users to inadvertently click on files containing  
malware that allows them to remotely control the machines. The hackers  
then use the machines to launch attacks on websites. The only reason  
this one seems to have caught the public eye is because so many  
government sites were targeted at once.

“The breadth of the attack is unusual,” Stewart says.

The malware is designed to contact various servers to obtain new lists  
of targets. The first list had only five targets — all U.S. government  
sites. A second list used by the malware on July 6 had 21 targets, all  
U.S. government and commercial sector sites, including e-commerce and  
media sites. A list on the 7th switched out some of the U.S. sites for  
ones in South Korea. The total number of sites known to be targeted so  
far is 39, Stewart says, although the list could be augmented as the  
days pass.

Not all the sites were crippled by the attack. Most of the U.S. sites  
recovered quickly, but a site for the Federal Trade Commission,  
Department of Transportation and Secret Service continued to have  
problems for a day or more.

The Department of Homeland Security, which oversees the U.S. Computer  
Emergency Response Team, said in a statement that as of last night,  
all federal websites were back up and running. Spokeswoman Amy Kudwa  
also said that US-CERT had issued a notice to federal departments and  
agencies advising them of steps to take to help mitigate against such  
attacks.

“We see attacks on federal networks every single day, and measures in  
place have minimized the impact to federal websites,” she said. “US- 
CERT will continue to work with its federal partners and the private  
sector to address this activity.”

More information about the Infowarrior mailing list