By Kim Tong-hyung
Staff Reporter

The powerful Internet attack that crippled South Korean computers earlier this month may have been initiated by local hackers after all, according to a police report issued on Monday.

The National Police Agency's cyber crimes unit said the malicious software used for the recent distributed denial of service (DDoS) attacks were put out by two "Web hard" online storage sites, which manage commercial peer-to-peer transactions of files.

Authorities, including the Korea Communications Commission (KCC) and the National Intelligence Service (NIS), have been struggling to track down the source of the cyber criminals.

However, police investigators say that 21 of the 27 "zombie" computers they examined, which were infected and compromised by the malicious codes, were infected from programs originating from the two online storage sites.

Although the malicious software was distributed from Korean sites, the cyber attackers used four separate servers based overseas to control the programs after they reached computers.

"The DDoS attackers hacked two Korean Web sites, based in Seoul and Busan, and switched the program update files of the sites with their malicious codes," said a police officer.

"Users of these online storage sites unknowingly downloaded the malicious programs, thinking they were updating the programs for the peer-to-peer transactions. We found four foreign servers that we believed were used to issue the attack orders."

A DDoS attack occurs when multiple systems are flooded with traffic that overwhelms their bandwidth or resources. More than 80,000 South Korean computers were affected by the series of DDoS attacks that started on July 7, while the United States and China were also attacked, albeit less ferociously.

The malicious software used in the recent attacks was mostly "botnets," or software robots that run autonomously to initiate the DDoS attacks. The botnets compromise the infected computers and are manipulated by the command and control (C&C) system set up by the hackers.

A total of 432 servers based in 61 countries were used by the hackers for C&C operations in the recent attacks, police officials say. Through the C&C servers, the hackers attempted to steal information from the infected computers and used the devices to spread the malicious codes to other computers, and eventually, programmed the zombies to self-destruct.

According to data provided by German law enforcement authorities, about 98 percent of the 55,500-plus zombie computers that communicated with the C&C server based in Germany were Korean computers, the police agency said.

thkim@koreatimes.co.kr