Our investigation of the June 25 South Korea incident led us to the compromise of an auto-update mechanism attack scenario. As part of our continuous monitoring, we documented another scenario (presented in this blog entry) pertaining to a DDoS attack scenario launched at specific sites.
The recent attack against South Korean websites has revealed a certain similarity between this attack and the March 20 MBR Wiper incident: a time trigger.
Recall that the March 20 MBR wiper attack involved a malware that was set to wipe the MBR files of affected systems at specific times (triggers were set to either at or before 2PM on March 20, 2013, or 3PM or later on the same date. This trigger date is dependent on files downloaded from certain URLs that function, in effect, as commands that specify when the DDoS attack will occur. We also uncovered that the malware re-checks the trigger time to re-execute the DDoS component every 24 hours for 3 days to possibly ensure that the DDoS attack occurs for a specific duration of time.
This ticking “time bomb” illustrates the great impact portrayed by time-triggered attacks, showing big effects in a short amount of time.”
Figure 1. DDoS Behavior
Looking more into the attack, maximum impact appears to be its primary goal. The DDoS attack is carried out by repeatedly sending relatively large DNS packets (more than one kilobyte) to two IP addresses. These targeted IP addresses are the primary and secondary DNS name servers of record for multiple South Korean government sites. The attack is intended to knock all of these sites offline indirectly: users that don’t have a DNS record cached for these domains would need to use DNS to translate the domain name to the IP address, but because the name servers for these domains are offline, they would be unable to do so. By targeting a single point of failure, attackers are able to take down multiple sites using only one attack.
All the components of this attack are already detected as TROJ_DIDKR.A, and the URLs of these malicious files have been blocked as well. We will continue to be on the lookout for further threats, and will release new information if it becomes available.
With additional analysis from Threat Researchers Rhena Inocencio and Teoderick Contreras.