South Korean police arrested a man from Seoul last week, on suspicion of working with North Korea to develop games infected with spyware.

According to a news report in the Korea JoongAng Daily, the 39-year-old game distributor was arrested on June 3 and charged with violating the National Security Law.

The law is North Korea-specific. Passed as the National Security Act in 1948, it outlawed:

communism;
recognition of North Korea as a political entity;
organizations advocating the overthrow of the government;
the printing, distributing, and ownership of “anti-government” material;
and any failure to report such violations by others.

The man was identified only by his family name, which news outlets render as either Cho or Jo.

Police claim that Cho met with North Korean spies who had set up a hacking base disguised as a trading firm in the Northeastern Chinese city of Shenyang.

The North Korean spies were allegedly associated with the country’s Reconnaissance General Bureau.

According to the Federation of American Scientists, this department ferrets out strategic, operational, and tactical intelligence for the Ministry of the People’s Armed Forces and plants spies in South Korea, either via boat or though tunnels under the demilitarized zone.

The Seoul Metropolitan Police said that Cho paid the spies tens of millions of won to develop the illegal game software.

Ten million won is equal to US $8520 or £5514.

The police allege that Cho turned to the reconnaissance unit to develop the games at this cheap price and knew they were infected.

According to Geek.com, the cost of the infected games was about one-third of a typical price.

Cho is also accused of setting up a server in South Korea that the North Koreans used in attempts to launch DDoS attacks at South Korean networks.

According to Geek.com, one such recent DDoS attack was launched against South Korea’s Incheon International Airport. Airport departures were disrupted multiple times in the spring of 2011 as a result.

The attack used a botnet of zombified computers that had been infected after their owners downloaded the Trojans by playing the poisoned games.

Beyond turning players’ computers into zombies, authorities also believe that Cho may have passed along personal information about more than 100,000 registered users to the North Koreans.

The police said Cho retained the personal information of hundreds of thousands of South Koreans, having collected the data from major portals.

This isn’t the first time North Korea has been implicated in cyberwarfare against South Korea.

There have long been claims that North Korea is operating a cyberwarfare unit (presumably being countered by the one alleged to exist in South Korea), and in 2008 it was reported that South Korea’s military command and control centre were the target of a spyware attack from North Korea’s electronic warfare division.

The sexy female seductress at the centre of that case, who was accused of seducing army officers in exchange for military secrets, was subsequently jailed for five years.

In 2009, a massive DDoS attack crippled 26 South Korean and foreign governmental websites, including military sites.

This spring, between April 28 and May 13, North Korea’s Reconnaissance General Bureau also managed to devastate GPS signals throughout the Korean peninsula.

The Reconnaissance General Bureau’s cultivation of cyber warriors is now at such an advanced state, in fact, that a South Korean expert recently claimed that North Korea’s abilities to wage a devastating cyber war are behind only those of the US and Russia.

Source: http://nakedsecurity.sophos.com/2012/06/11/north-korea-uses-infected-games-to-ddos-south-korea/

Researchers at network security vendor Arbor Networks are warning of an increasingly strengthening tool being used by cybercriminals to conduct powerful distributed denial-of-service attacks (DDoS).

The tool, called MP-DDoser or IP-Killer, was first detected in December 2011 and, according to Jeff Edwards, a research analyst at Chemlsford, Mass.-based Arbor Networks Inc., the tool’s authors are making progress in eliminating flaws and adding improvements.   The active development is boosting the tool’s attack capabilities and advancing its encryption algorithm to protect its botnet communications mechanism. Arbor released a report analyzing MP-DDoser’s (.pdf) capabilities and improvements.

“The key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique … that may be considered reasonably cutting edge,” wrote Edwards, a member of Arbor’s security engineering and response team, in a blog entry Thursday.

Edwards said the “Apache Killer” technique, which can be deployed by the tool, is designed to flood requests to Apache Web servers, overwhelming the memory and ultimately causing it to crash. The technique is considered low-bandwidth, making it difficult to filter out the bad requests. A less successful form of the attack was used by a previous botnet, Edwards said, but the MP-DDoser authors appear to have incorporated it with some improvements.

“A review of the [IP-Killer] bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack,” Edwards wrote. “It is therefore one of the more effective low-bandwidth, ‘asymmetrical’ HTTP attacks at the moment.”

Asymmetric DDoS attacks typically use less-powerful packets to consume resources or alter network components, according to the United States Computer Emergency Readiness Team (US-CERT). Attacks are meant to overwhelm the CPU and system memory of a network device, according to US-CERT.

The steady increase and easily obtainable automated DDoS attack tools have put the attack technique in the hands of less-savvy cybercriminals. Arbor Networks’ Worldwide Infrastructure Report 2012 detailed a steady increase in powerful attacks over the last five years. The report, which surveyed 114 service providers, found that lower-bandwidth sophisticated attacks like MP-DDoser are becoming alarming.

MP-DDoser, IP-Killer botnet communications improvements
The MP-DDoser botnet does not spread spam or malware, making it more effective at conducting DDoS campaigns, according to Edwards.

The authors of MP-DDoser are also employing encryption and key management as part of network communications, Edwards said. Encrypting communications is becoming more common in malware to make it more difficult for investigators to trace the transmissions between the bot and the command-and-control server. Edwards called the MP-DDoser author’s use of encryption a “home brew” algorithm, making decryption even more difficult for researchers.

“All in all, MP-DDoser uses some of the better key management we have seen. But of course, at the end of the day, every bot has to contain – or be able to generate – its own key string in order to communicate with its C&C, so no matter how many layers of encryption our adversary piles on, they can always be peeled off one by one,” Edwards wrote.

Source: http://searchsecurity.techtarget.com/news/2240153127/Arbor-Networks-warns-of-IP-Killer-MP-DDoser-DDoS-tool

The San Diego County Registrar of Voters’ website went out of service on election night because a firewall recognized an attempt to attack the site, officials said today, adding that an investigation was being conducted.

Sdvote.com went down soon after initial results were posted after 8 p.m. Tuesday, and the site remained inoperative for about two hours. Access to the site was also spotty after midnight.

Residents and local politicos use the site to track results. The county also uses its information technology to send a direct feed of results to news media, but that feed was not interrupted.

According to a county statement, sdvote.com began receiving well over 1 million hits per minute from a single Internet protocol address around 8:15 p.m., so a firewall that recognized suspicious activity shut down outside access to county websites.

Investigators said they believe the “denial of service” attack was launched against the site to prevent legitimate users from obtaining information.

It was unknown if the attack was meant to disrupt the election itself, according to the county.

IT vendor Hewlett Packard ruled out any hardware or software issues, and there was plenty of capacity for the number of users who tried to use sdvote.com, according to the county.

County officials said they were working with a security team and Hewlett Packard to find who or what was responsible for the attack, and reviewing ways to keep such an event from taking down the site in the future.

Source: http://www.kpbs.org/news/2012/jun/07/county-says-its-voting-results-website-was-hacked-/

Last year there was an odd incident in South Korea, where a widely distributed computer game appeared to be infected with malware (software that secretly uses the PC it is on for criminal activity, including stealing valuable data from the PC it is on). What caught the attention of South Korean military intelligence was the fact that the malware was hidden in every copy of this game and, at one point, many of the 100,000 infected PCs tried to shut down the air traffic control system at a major South Korean airport.

Further investigation revealed that the airport attack was part of a growing Cyber War campaign by North Korea against government and military web sites in South Korea. One of the most disruptive North Korean Cyber War weapons was DDOS (distributed denial of service) attacks. These are carried out by first using a computer virus (often delivered as an email attachment or, in this case, via a game), that installs a secret a Trojan horse type program, that allows someone else to take over that computer remotely, and turn it into a “zombie” for spamming, stealing, monitoring or DDOS attacks to shut down another site. There are millions of zombie PCs out there, and these can be rented, either form spamming or lunching DDOS attacks. Anyone with about $100,000 in cash, including North Korea, could carry out attacks. You can equip a web site to resist, or even brush off, a DDOS attack, and some of those attacked ware prepared. But others were not. The South Korea airport was disrupted for several hours.

Last year was the third time since 2009 that someone, apparently North Korea, has launched DDOS attacks, and attempted to hack into South Korean networks. But part of this latest DDOS effort was carried out by a North Korean botnet of zombie PCs obtained by selling the malware infected games. Further investigation found that the South Korean creator of the games had been financed by North Korea agents, who provided the malware payload. These games were made available for sale on South Korean web sites. Police are still inspecting the malware, which may have been stealing data from infected PCs, in addition to be part of a botnet of PCs used for DDOS attacks.

Source: http://www.strategypage.com/htmw/htiw/articles/20120607.aspx

Using Service Providers to Manage DDoS Threats

As you’ve no doubt seen in recent years, hactivists (hackers who attack for a cause) such as Anonymous and LulzSec are becoming increasingly bold in their attacks on corporate ­America. Using the Internet as a venue, they are levying attacks using hundreds or thousands of zombie computers to overwhelm victims’ bandwidth and servers. These distributed denial-of-service (DDoS) attacks can last for minutes or days, while leaving your employees and ­customers without access to online resources.

Many options are available for protecting against, and mitigating the effects of, a DDoS attack. However, with the increasing use of third-party service providers, your organization must consider whether and how these providers can fit into a comprehensive and strategic DDoS protection plan. The good news is that these providers likely have far more resources and know-how than your own organization when it comes to fighting against DDoS attacks. The trick will be to proactively engage with providers to ensure that the full force of these ­resources will be effectively leveraged for your own organization’s needs.

In this report, we examine how you can combine your protections with those of third-party service providers to protect against and/or withstand DDoS attacks. One of the most ­important takeaways is that you must prepare in advance. You cannot wait until after the DDoS hits to implement these technologies or coordinate protection with your service providers.

Source and to download this report: http://reports.informationweek.com/abstract/21/8817/security/strategy-using-service-providers-to-manage-ddos-threats.html