Urgent-Massive DDOS Attack!

DDOS attack files.
Known as Mutated Mydoom+Downloader.

filename: msiexec2.exe
size:33,841 bytes
When msiexec2.exe being excuted, it creates ‘uregvs.nis’ file.
There are many target addresses inside of msiexec2.exe code.

Following files attack those web sites.

size: 65,536 bytes

filename: wmiconf.dll
size: 67,072 bytes

some evidences about this attack.

  1. attacker’s IPs came from China.
  2. Using Botnet.
  3. Using Zombie PC.
  4. spreaded by internet.
  5. it changes it’s code automatically.
  6. addresses can be changed by attackers.

It has following Target Addresses.
Following addresses are related with South Korea gov and USA gov.
The attacker’s IPs came from China.
But the origin of attacker’s IPs came from North Korea.

[Target addresses]
Some of websites still can’t be connected or slow.

banking.nonghyup.com - bank blog.naver.com -portal ebank.keb.co.kr - bank ezbank.shinhan.com -bank mail.naver.com -mail service www.assembly.go.kr -gov www.auction.co.kr www.chosun.com -journal www.hannara.or.kr -a political party www.mnd.go.kr -gov www.mofat.go.kr -gov www.president.go.kr -gov www.usfk.mil -US military website in korea finance.yahoo.com -portal travel.state.gov -gov www.amazon.com www.dhs.gov -gov www.dot.gov -gov www.faa.gov -gov www.ftc.gov -gov www.nasdaq.com -stocks www.nsa.gov -gov www.nyse.com -gov www.state.gov -gov www.usbank.com -bank www.usps.gov -US postal service www.ustreas.gov -gov www.voa.gov -voice of america www.voanews.com www.whitehouse.gov -gov www.yahoo.com -portal www.washingtonpost.com -journal www.usauctionslive.com www.defenselink.mil -military www.marketwatch.com -stocks www.site-by-site.com

I know South Korea Websites are under Attack, they dont know who is attacking, but i hear this on the BBC once today. Had no idea US Gov was being DDOS also, they probably dont even feel it. LOL

And yesterday a website that host Malware for IT’s was DDOS also. (Most of there attacking IP’s where form Russia and Ukrain) I Get the feeling that it was a test drive for a upcomming DDOS attack.

They know where this attack came from. It’s from China.
Also US gov knows where this attack came from. It’s from China.
Some of attack informations have been identified.

But I think crazy North Korea is doing this attack.
Or China.

Damn… They should have killed twitter instead of those sites… =/

lol they may, if Twitter is using one of those server or is on a line that is being used to DDOS.


SEOUL, Jul 08, 2009 (AsiaPulse via COMTEX) -- A series of cyber attacks disrupted the Web sites of South Korea's [b]presidential office[/b], [b]government agencies and private firms[/b], but no serious damage was reported, officials said Wednesday.

The so-called distributed denial-of-service (DDoS) attacks against 11 domestic Internet sites started at around 6:00 p.m.

on Tuesday, shutting them down for hours, said the government-run Korea Information Security Agency (KISA).

Hackers disrupted the Web sites of the presidential office Cheong Wa Dae, the National Assembly and the Ministry of Defense, it said.

Among private sites infiltrated were major lenders Shinhan Bank and Korea Exchange Bank.
The cyber attacks also affected the country’s No. 1 portal Naver’s e-mail service and online auctioneer eBay’s South Korean site Auction.com, the agency said.

A DDoS attack involves sending large amounts of data that renders Web servers unusable by obstructing communication between the intended server and the target. The attacks generally use multiple personal computers infected by a hacker, allowing the individual to drive more traffic to the target.

KISA officials said most sites returned to normal as of 10:00 p.m. on Tuesday, though some sites remained unable to get access.

Online attack hits US government Web sites: http://www.networkworld.com/news/2009/070809-online-attack-hits-us-government.html

A botnet comprised of about [b]50,000 infected[/b] computers has been waging a war against U.S. government Web sites and causing headaches for businesses in the U.S. and South Korea.

The attack started Saturday, and security experts have credited it with knocking the U.S. Federal TradeCommission’s (FTC’s) Web site offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the U.S. Department of Transportation (DOT).

Any change you could upload those files to VT and post links?
and also PM them to Melih or Umesh (head of AV)

I think COMODO already knows.

Updated MyDoom responsible for DDOS attacks, says AhnLab.

An updated version of the MyDoom virus is responsible for a large DDOS (distributed denial of service) attack that took down major U.S. Web sites over the weekend and South Korean Web sites on Wednesday, according to Korean computer security company AhnLab.

When it was discovered in January 2004, MyDoom quickly became the fastest-spreading e-mail worm in Internet history. Once a PC was infected with MyDoom, it would harvest e-mail addresses and e-mails itself out repeatedly. Early variants MyDoom were coded to conduct DDOS attacks against other Web sites within certain time periods.

White House, Pentagon websites targeted by cyberattack

Cyberattacks Hit U.S. and South Korean Web Sites

SEOUL, South Korea — Cyberattacks that have crippled the Web sites of several major American and South Korean government agencies since the July 4th holiday weekend appear to have been launched by a hostile group or government, South Korea’s main government spy agency said on Wednesday.