The denial-of-service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.
There were no immediate reports of any of the compromised PCs in the botnet having files deleted, but that doesn't mean it wasn't happening or won't in the future, said Gerry Egan, a product manager in Symantec's Security Technology Response group. (Click here for Larry Magid's related podcast with Symantec expert.)
There are only about 50,000 infected PCs around the world being used in the attacks, which is relatively small compared to the millions that were infected with Conficker, he said.
The attacks started over the July 4 weekend launching distributed DOS attacks on dozens of government and commercial sites in the U.S. and South Korea. The attacks, which resurged during the week at least twice, affected sites including the White House, the Federal Trade Commission, the Secret Service, and The Washington Post.
One of the files dropped on infected PCs is programmed to wipe out files on the PC, including a master boot record, which will render the system inoperable when the PC is rebooted, Symantec said. "Basically, your system is in trouble if this executes," Egan said.
Botnet expert Joe Stewart of SecureWorks told The Washington Post that he tested the self-destruct Trojan and found it capable of erasing the hard drive on an infected system, but that that function wasn't being triggered. He speculated that either there is a bug in the code or that the feature is set to activate at a later date.
Researchers are finding that the botnets launching the attacks are infected with several types of malware. The MyDoom worm is being used to spread infections between computers via e-mail, Symantec and other antivirus vendors have reported.
A dropper program called W32.Dozer that contains the other components is sent by W32.Mytob!gen to e-mail addresses it gathers from the compromised computer, the Symantec Response Blog says. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the system.
The Dozer Trojan serves as a backdoor and connects to IPs through certain ports, allowing it to update itself and to receive instructions on sites to attack, according to Symantec. It's unclear if the DOS attacks will happen again because the infected PCs can receive new instructions at any time, Egan said.
"There is nothing new or novel in the technology," he said. Judging by the high-profile sites attacked it's likely the attackers are just trying to get attention, he added.
South Korea officials told reporters on Friday that the DOS attacks used 86 IP addresses in 16 countries, including South Korea, the U.S., Japan, and Guatemala, but not North Korea, according to an Associated Press report.
For more information listen to CNET blogger Larry Magid's podcast on the subject.