Hackers obtained lists from some private computers
No evidence yet that attackers stole file data in nationwide cyber attack
Seoul investigators said lists of files from so-called “zombie” computers used during the recent cyber attacks have been leaked to hundreds of outside servers, and that authorities are trying to determine if actual files were transferred.
While no major hacking attack was reported yesterday, the National Police Agency’s Cyber Terror Response Center and the Korea Information Security Agency were busy analyzing 27 zombie computers, or the ones that had been infected with malicious code without the owners’ knowledge. These computers served as the unwitting sources for the distributed denial-of-service (DDoS) attacks last week.
Investigators discovered that some lists of the computers’ “Documents and Settings” and “Program Files” had been sent to outside servers. Following the DDoS attacks last week, files in about 1,200 zombie computers were deleted, but no file data appeared to have been leaked.
The investigators said they’ve located 416 such servers in 59 countries, including 15 servers in South Korea. Police said they’ve blocked access to those 15 servers and have confiscated 13 of them for further analysis.
Police said these servers were located at private companies, universities and homes. The KISA has blocked access to the other 401 servers outside of South Korea.
A police investigator said he was still trying to determine if actual files were leaked.
“We believe hackers simply wanted to look at what files these zombie computers had,” the investigator said. “So far, only file lists have been moved, and it’s premature to say whether any personal information also left the computers.”
Choi In-seok, chief investigator at the Cyber Terror Response Center, said investigators were trying to discover hackers’ motives in accessing lists of files, but not the files themselves.
“In most cases, hackers would attempt to steal users’ IDs and passwords,” he said.
Experts say malicious code used in the type of attacks that paralyzed South Korean and U.S. Web sites is usually capable of carrying out DDoS attacks, sending spam e-mail messages, or installing spyware to collect information about users and their Internet browsing habits.
In the immediate aftermath of the cyber terrorism last Tuesday, police and cyber security officials said the malicious code was not capable of planting spyware in computers.
By Yoo Jee-ho [email@example.com]