More than forty South Korean government websites were subject to intense distributed denial of service (DDoS) attacks over the weekend.
Targets included sites maintained by the Defense Ministry, the National Intelligence Service, the Foreign Ministry, the National Assembly and Office of the President.
DDoS attacks are almost commonplace these days, but what makes the botnet employed in this series of attacks special is that it utilizes code that causes the host machines to automatically self-destruct.
Researchers at McAfee have identified a "destructive payload" in the malware controlling the botnet used in the South Korean DDoS attacks.
"Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it." wrote McAfee's Georg Wicherski.
Wicherski notes that the command and control (C&C) structure of the botnet uses two layers of control servers, one under direct control of the botnet owner, and the other serving task files downloaded directly to the infected computers that carry additional instructions.
Secondary components of the botnet code seek out these task files to carry out the attack. Based on a timestamp recorded when the files are downloaded, the clock starts running down until the device initiates a self-destruct command which overwrites the hard drive and destroys all data.
"The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection," Wicherski explains.
Wicherski feels the complexity and destructive nature of the botnet code in an ominous sign of things to come.
"One thing is clear: This is a serious piece of malware. It uses resilience techniques to avoid a takedown and even has destructive capabilities in its payload. This year is quickly shaping up to be a period of serious attacks and escalations on the cyberfrontier," Wicherski stated.