3.3_DDoS_Report.pdf (2 MB)

The March 2011 South Korea DDoS incident began with compromised web-hard update mechanisms, including Sharebox and later similar file-distribution services such as Bobofile and Filecity, which rapidly pushed malicious update binaries to users. The malware chain downloaded additional components such as SBUpdate.exe, Host.dll, ntcm63.dll, and randomized service DLLs from relay servers, then split functions across modules for host-file tampering, encrypted command communication, DDoS execution, and destructive payloads. Scheduled attacks used UDP, ICMP, and HTTP-style request flooding against South Korean government, military, financial, portal, and security-related sites, while a separate component searched common document formats, compressed filenames into CAB form, and overwrote data with zeros. The report lists hashes and infrastructure including relay IPs such as 209.107.241.247 and 98.21.253.110, and notes structural similarities to the 2009 July 7 DDoS attacks with stronger encryption and continued abuse of web-hard software distribution channels.