Symantec describes Trojan.Koredos activity behind DDoS attacks against South Korean websites and compares the campaign to the July 2009 attacks on U.S. and South Korean government, financial and media sites. Unlike botnets that wait for live C2 instructions, the commands in this case are embedded inside the malware. The report highlights destructive components, especially s[RANDOM LETTERS]svc.dll variants that destroy the master boot record, search fixed drives for Korea-specific document extensions such as .alz, .gul and .hwp, overwrite files with zeros, delete large files, or replace files with .cab archives before deleting the originals. The targeting of Korean file types and destructive delayed behavior make the infection a data-destruction risk even after the visible DDoS activity subsides.