The moderately large botnet distributed-denial-of-service attacks on government web sites in the U.S. and Korea on July 4 and continuing this week were probably NOT the work of North Korean intelligence forces, according to researchers who have analyzed the attacks.
In spite of South Korea’s contention that their country’s rival to the north was to blame, apparently it was the work of a fairly unsophisticated intruder who used the five-year-old Mydoom worm to launch the attack from a botnet of about 50,000 machines mostly in Asia.
The worm was first identified by Sunbelt Software in January, 2004, as Email-Worm.Win32.Mydoom.gen (v). Its variants have always been detected by Sunbelt’s malware analysis technology, MX-V™, included in the company’s VIPRE™ antivirus product line. MX-V is a compact, high-speed virtualized Windows environment integrated into VIPRE, which performs rapid behavioral analysis of potential malware.
Mydoom is a mass-mailing worm and generally arrives in spam email as an attachment carrying file extensions of .bat, .cmd, .exe, .scr or .zip. If an Internet user activates it, the worm sets up a back door on a system and allows the botnet owner who sent the email to control the infected computer. The infected machine, added to a botnet, can then be used to send spam email to propagate the worm. It also can be used to launch denial-of-service attacks. It will install on most Windows operating systems, including Windows 95, Windows NT, Windows 98, Windows 2000, Windows Me, Windows XP, and Windows Server 2003.
It’s been considered a low-level threat and has been detected by most major antivirus products since it first appeared in 2004.
Tom Kelchner