cfile3.uf1520EE564D779550226696.pdf (1 MB)

Inca Internet analyzed malware samples tied to the March 2011 Korean DDoS incident, where attackers compromised webhard service update or installer servers and replaced legitimate modules with malicious downloaders. Infected systems downloaded additional components that registered services for persistence, altered hosts files to block antivirus updates, exfiltrated basic PC and domain information, and removed cache or batch artifacts to hinder tracing. The malware used data files to coordinate DDoS activity against Korean portals, government, military, finance, and other targets, launching UDP, ICMP, and CC-style attacks against listed URLs. Other components destroyed the MBR and deleted or corrupted files with document, archive, mail, source-code, and web-script extensions, making the campaign both disruptive and destructive. The report also lists Trojan detections, sample variants, scheduled attack timing, targeted domains, and partially masked remote server addresses used for connection or download attempts.