Recently McAfee Labs became aware of a series of the DDoS attacks taking place in Brazil during the last several days. Victims of these attacks included those in the telecommunications and banking sectors. Upon analysis, these attacks appear to use a mix of attack techniques: old-school SYN and ICMP flooding, while at the same time newer tools such as LOIC and SlowLoris. Regardless of the tools used, these types of attacks can be devastating to an online business and its brand.

While the attacks on Brazilian companies do not stand out in their technique (good DDoS is still DDoS), they are significant because Brazil is a large, fast-growing economy that affects other regions and should be looked at in a serious light regardless of the attackers and their motivations. So the question remains: What strategies can companies use to minimize the damage from these types of attacks?

No one technology will do the job. Never has, never will. Good security is about process, people, and technology. Certainly newer technologies like next-generation intrusion prevention and firewalls with IP reputation are of great value and should be looked at; but a good, thorough penetration test should be at the top of everyone’s list along with forensics and a good incident-response plan.

If your company is in the same business as some of the recent victims, then this is a good time to take stock, undergo a good pen-test, and see how well prepared you are.

Revisit your security basics, layer your defenses, and expect an attack.

Fourteen of the targets were the same as in the 2009 attacks, but nearly all of the U.S.-based targets such as The White House, State Department, FAA and FTC were removed from the target list. The modus operandi of the attacks was identical and unusually destructive for typical botnet attacks: the botnet, based in South Korea, was dynamically updated via new malware binaries, launched a relentless DDoS for slightly over a week, and then destroyed the machines it was deployed on by overwriting with zeroes and then deleting key data files such as source code, documents and then zeroing-out the Master Boot Record (MBR) to render the computers unbootable.

In March 2011, however, the level of sophistication was dramatically ramped up, especially for something as simple as a DDoS attack. In fact, it was analogous to bringing a Lamborghini to a go-cart race. Multiple encryption algorithms, such as AES, RC4, and RSA were used to obfuscate numerous parts of the code and configuration of the attack components to slow down the analysis. Over 40 globally distributed multi-tier Command & Control servers (USA, Taiwan, Saudi Arabia, Russia and India accounted for over half of all of servers) were used to dynamically update the malware and its configurations in a fashion designed to be highly resilient against takedowns. It was also clear from our analysis of the code that multiple individuals who may not have been in close coordination were responsible for developing its various parts.

So what was the goal of these attacks and why was so much effort employed to do something that’s fairly trivial in this day and age – flood a Web site with purposeless traffic to slow it down or bring completely offline? We believe this incident, which we estimate has a 95% chance of being perpetrated by the same actors as July 4th 2009 attacks, has very clear anti-Korean and anti-U.S. political motivations and potentially is even more insidious. The level of encryption and obfuscation at all layers of the malware and its distribution method, as well as the quick follow-on destruction of data and machines, indicate that one of the key objectives was to impede rapid analysis and remediation by the Korean authorities. This may very well have been a test, an armed cyber reconnaissance operation of sorts, perhaps conducted by the North Korean military as the South Korean National Intelligence Agency has asserted, to test the defenses and more importantly the reaction time of the Korean government and civilian networks to a well-organized and highly obfuscated attack. Knowing that would be invaluable in a possible future armed confrontation on the peninsula, since cyberspace has already become the fifth battlespace dimension, in addition to land, air, sea, and space.

We have published an in-depth paper on this incident and McAfee’s analysis of it, detailing information about:

• The target Web sites and methodology of the DDoS attacks
• The different cryptographic algorithms in place and how they have been used to deter analysis
• Interesting mistakes made by the actors involved
• Attribution theory and analysis of intent

As with most initiatives at McAfee, this was a team effort bringing together researchers from McAfee Labs with other departments at McAfee, our partners, and our customers. I would like to give a special thanks to the US-CERT, Department of Defense analysts, and AhnLabs, as well as our own – Dmitri Alperovitch, Brian Contos, Sven Krasser – and countless others for their tireless effort, support, and fighting the good fight every day.