July 06, 2011, 4:14 PM — Those of you who are connoisseurs of international cyberthreat conspiracies – both the entertaining Men in Black-ish type and the all-our-infrastructure-belong-to-them that is a lot more dull but a lot more frightening for being largely true – will be excited to hear there is another franchise player on the field.
In March North Korea -- whose impression of a cartoonishly extreme Evil Empire has set the standard for smothering repression, campily ridiculous Fearless Leaders and quiet dignity among the starving masses – launched a DDOS attack that knocked down a handful of South Korean web sites, according to an investigation conducted by security software vendor McAfee.
Except for the home page of the U.S. Forces Korea – which is primarily a PR site used by the U.S. Eighth Army to distribute information to civilians, not for actual military communications – all the 14 sites hit were South Korean companies with no particular political significance, despite indications North Korea is training a coterie of cyberwarriors at foreign colleges.
The tipoff that the attack wasn't just part of an extortion attempt or bit of ordinary vandalism was that it was far too meta to be the work of casual or commercial hackers, according to a report from McAfee, which assembled its information with the help of the U.S. and South Korean governments.
(The McAfee report on the South Korean attack titled, poetically, 10 Days of Rain, is available for download here.)
Usually, DDOS attacks come from botnets – armies of zombie PCs infected with malware so they can be remotely controlled by command servers run by attackers.
In this attack there were at least two botnets – the one that launched the DDOS, and a second layer that sent them the orders. McAfee wasn't able to trace back far enough to figure out for sure who was giving the command botnet its orders.
Most botnets are built in hierarchies, just like any other network. First-tier zombies receive commands from the server and pass them on to a pre-determined list of other infected PCs.
That multitier design helps keep the net working when one segment gets closed down and keeps communications from bottlenecking.
Few, if any botnets use a completely separate command tier whose whole job is to control the rest of the hierarchy and hide the identity of the attackers by making it even harder than it would be otherwise to track commands and authorizations back through the first botnet and into the second.