McAfee-Labs-10-Days-of-Rain-July-2011.pdf (980 KB)

McAfee observed a March 2011 DDoS operation against South Korean government, military-related targets, and U.S. Forces Korea, launched from compromised hosts in South Korea. The botnet used a multitier command-and-control architecture with first-tier redirector servers distributed across multiple geographies to improve resiliency against takedowns. The malware was configured primarily for DDoS using ICMP, UDP, and HTTP request traffic, with a predefined 10-day operating window and payloads protected by multiple cryptographic algorithms including RC4, AES, RSA, and MD5. At the end of the attack window, infected hosts were designed to self-destruct by deleting and overwriting key files and damaging the master boot record, limiting recovery and forensic analysis. The combination of targeted South Korean and USFK victims, resilient C2, restricted bot functionality, and destructive cleanup made the campaign operationally distinct from typical financially motivated botnets.