Korea and US DDoS attacks: The attacking source located in United Kingdom
Bkis, as a member of APCERT, received a request from KrCERT (Korean Computer Emergency Response Team) to investigate the incident that was performing DDoS attacks on websites of
We have analyzed the malware pattern that we received from KrCERT and have located the botnet controlled by 8 Command and Control (C&C) servers via controlling code embedded in a file named "flash.gif". Every 3 minutes, zombies randomly select one of the 8 servers to connect to and to receive orders. Especially, we found a master server located in
In order to locate the source of the attacks, we have fought against C&C servers and have gained control of 2 in 8 of them. After analyzing the logs of these 2 servers, we discovered the IP address of the master server, which is 195.90.118.xxx. This IP is located in
During the past few days, the number of zombies has been estimated to be 50,000 by Symantec and about 20,000 by Government of South Korea. But, by taking control of two C&C servers and analyzing logs on these servers, we count the exact number of zombies that have been querying C&C servers to receive commands. Accordingly, there have been 166,908 zombies from 74 countries around the world that have been used for the attacks.
Top 10 zombies host countries
Having located the attacking source in
*Note: Bkis is the former trademark of Bkav. Since January 1st, 2010, Bkav has been consistently used as the official trademark globally.