Recent Cyber Attacks Involved 200,000 Computers

Crippling cyber-attacks relied on 200,000 computers
By Joseph Menn in San Francisco
Published: July 10 2009 03:00 | Last updated: July 10 2009 03:00
The waves of cyber-attacks that crippled government and commercial websites in the US and South Korea relied on roughly 200,000 computers, more than triple earlier estimates, and used an established technique for spreading the infections through other compromised internet pages, researchers said yesterday.

Investigators also found that the computers used as pawns in the denial-of-service assaults that started over the weekend were checking for further instructions from two master computers in Germany and one in Austria, which authorities disconnected. The identification of those command servers provided some hope that the probe will lead to individual suspects or groups.

"We're making a bit of progress," said an investigator assisting the government on the case.

South Korean intelligence officers have said that they suspect the involvement of North Korea, which has been working to develop its cyber-warfare capability and is embroiled in escalating disputes with Seoul and Washington.

Before, the main technical evidence in support of that claim was the disproportionate number of attacking machines in South Korea. In addition to that, Joe Stewart, a researcher at SecureWorks, said yesterday that some of the programme used Korean characters. But Mr Stewart said that did not mean the architect of the assault was Korean, and other evidence coming to light pointed elsewhere.

A key method for creating the infectious sites emerged as remote file inclusion, according to a researcher who discovered hacked web servers in various places, including pages belonging to the governments of Morocco and Malaysia.

Analysis of code from those sites showed they were spreading the programmes found on attacking machines, including portions of the five-year-old MyDoom virus, and also issuing the directions to attack three dozen sites.

Remote file inclusion attacks have become popular with criminal gangs who use them to create "botnets" of personal computers that send spam and give up their owners' sensitive financial data, said the researcher who found the malicious sites, who uses the pseudonym Jart Armin.

That approach does not by itself rule out North Korea, but Jart Armin said it made it more likely that the offenders were ordinary criminals.

Copyright The Financial Times Limited 2009