Hacker toolkits attracting volunteers to defend WikiLeaks

Filed Under: Denial of Service, Malware, SophosLabs

There has been a lot of talk about the attacks coordinated by AnonOps, a group of internet vigilantes, which decided to fight back against payment processing companies suspending accounts used to donate to Wikileaks and its founder Julian Assange.

The attacks are coordinated through the AnonOps webpages, IRC server infrastructure as well as several Twitter accounts. The operation of the voluntary botnet is very simple but it seems to be quite effective.

Yesterday, Twitter decided to shut down some of the Twitter accounts inviting users to join the attacks. However, the attack on the main VISA website after the attacks on Mastercard, PayPal and Swiss Bank Post Finance was successfully launched.

Following these initial attacks, which seriously influenced the operation of the sites under attack, another attack on Mastercard Securecode card verification program was launched. This attack seriously affected payment service providers and the financial damage for Mastercard still needs to be determined.

Immediately after the AnonOps attacks on the payment processing companies started, a retaliation DDoS attack on AnonOps hosting infrastructure has been launched. Their main site anonops.net is unresponsive at the time of writing this post.

It looks like there is an outright war going on. However, contrary to many discussions following the discovery of Stuxnet, the sides in the conflict are not sovereign states but groups of internet users spread around the globe proving that warfare on internet brings out a whole new dimension to the term.

Participation in DDoS attacks is illegal in many countries and users accepting the invite by AnonOps are under a serious risk of litigation. Many people believe that privacy on the internet can be somewhat protected, but beware, the source IP addresses of attackers, which will inevitably end up in the target's website log files, can easily be matched with user's accounts if ISPs decide to cooperate with the law enforcement agencies.

The workflow of an AnonOps attack is quite simple:

  1. Visit the AnonOps website to find out about the next target
  2. Decide you are willing to participate
  3. Download the required DDoS tool - LOIC
  4. Configure LOIC in Hive Mind mode to connect to an IRC server
  5. The attack starts simultaneously, when the nodes in the voluntary botnet receive the command from the IRC server

Since the principle of the operation is already well known I wanted to take a look at the main weapon used to conduct DDoS attacks - LOIC (Low Orbit Ion Cannon). LOIC is an open source tool, written in C# and the project is hosted on the major open source online repositories - Github and Sourceforge.

The main purpose of the tool, allegedly, is to conduct stress tests of the web applications, so that the developers can see how a web application behaves under a heavier load. Of course, a stress application, which could be classified as a legitimate tool, can also be used in a DDoS attack.

LOIC main component is a HTTP flooder module which is configured through the main application window. The user can specify several parameters such as host name, IP address and port as well as the URL which will be targeted. The URL can also be pseudo-randomly generated. This feature can be used to evade the attack detection by the target's intrusion prevention systems.

The Hive Mind option is responsible for connecting to the IRC server used for attack coordination. Using the Hive Mind mode, AnonOps can launch attacks on any site, not just the one you voluntarily agreed to target.

The connection uses a standard HTTP GET request with a configurable timeout and a delay between the attempted connections. Most of the web servers will have a configurable limit on the number of connections they accept and when that limit is reached the server will stop serving all following request which has the same effect as the server being offline.

The IRC communication protocol is implemented using the free C# IRC library SmartIRC4Net.

There is a Java version of the tool - JavaLoic, which uses a Twitter account as the command and control channel. However, the Java version is much easier to detect using intrusion prevention systems as the attack uses fragmented HTTP requests forming a static string "hihihihihihihihihihihihihihihihihihihihihihi".

Sophos products have been detecting LOIC as a potentially unwanted application since 14 February 2008.

There is no doubt that a lot more will happen in this conflict built around the support for WikiLeaks and a lot more will be said about it. Make sure you visit Naked Security and the Sophos Facebook page to learn all about the future developments.

, , , , , , , , ,

You might like

27 Responses to Hacker toolkits attracting volunteers to defend WikiLeaks

  1. Guy de Puyjalon · 1416 days ago

    Vive la transparence gouvernementale !

    Vive Wikileaks !

    À bas l'hypocrisie, les complots, les cabales et les supercheries en hauts lieux !

    Vive la liberté d'expression

    • Sane Guy · 1416 days ago

      Too bad we have a president with no balls here in the US. I look forward to the days when the next administration start prosecuting all those DDDoS attack participants and incarcerate them. (cause its illegal!!)
      Just because you want to prove you machismo it does not mean you have to endanger our private information and expose our credit cards.

      • Gaz · 1415 days ago

        Such a typical response from an American. 'Me, me, me'.

        This isn't about your credit card, this is about preserving the future of our species and ensuring we do not end up in a situation where we're all part of a dictatorship wondering why we no longer have the freedom to speech.

      • Jay · 1415 days ago

        IMO, I think this is exactly what our president wants. Leaking classified information, DDoS attacks against major financial infrastructure, etc. is a perfect opportunity to introduce draconian laws regarding internet access and collection of PII for intelligence purposes. As Rham said, "You never let a serious crisis go to waste."

        • Baba-T · 1415 days ago

          Free speech Yes! but for the sustenance of the species there must be secrets. It's a necessary element in the equation of existence...

          Baba-T

          • aoe · 1415 days ago

            I don't see any link between sustenance of the species and secrets.

            • lord koos · 1414 days ago

              Yep, you don't see cockroaches keeping secrets, do you?

      • synezlan · 1415 days ago

        If you had read the article properly, you'll see that these DDoS attacks do not expose anybody's credit card details. A DDoS attack aims to prevent users from accessing a website, not steal its information.

        @Vanja Svajcer, Finally! A news article that describes accurately what Anonymous is actually doing. I suspect there might be too much jargon for the average computer user to understand, but still, it's far better than most of the generic "hackers took down site x, hackers took down site y" I've been reading.

        I don't really think Op Payback participants should be called "hackers" though. There's no hacking involved, and it takes no hacking experience to do it. Calling it hacking makes people (like the above commenter) think it involves breaking through website security and exposing secret information, which is the usual definition of hacking...

        • Vanja Svajcer · 1415 days ago

          Thanks, synezlan. As for the hacker term, it was suggested to me that the title "LOIC - DDoS tool" which I have initially chosen, would be far less effective attracting readers than the current one. In the text I am using the term attackers, which I think is more accurate in this case :)

      • Aoe · 1415 days ago

        Expose your credit cards? Clearly you don't really understand much about these attacks...

      • FalsePositive · 1415 days ago

        @ Sane Guy ....

        You're silly. Do you have a Palin For President bumper sticker? I bet you do... ;-)

      • Whatever · 1415 days ago

        you have no idea what you are talking about. The only affect this had on your credit card is you not being able to use it and the so called machismo... Is it somehow any different than when an army goes and attacks some other country over greed of oil? And in closing, the commenter below, Gaz... I am an American

  2. A few years back, these were called "cyberstrikes" and were considered ethical. Of course, they wouldn't involve flooding tools like LOIC, but the aim was nevertheless to down sites through usage.

    I clearly remember the Italian government site going down at one point...

    It seems to me that these attacks are equivalent to strikes, they do no damage, but strike economically the targets. Should they be legal? I don't know... Can any legislation against them be feasibly enforced? Clearly not.

  3. Cyb3r7hug · 1415 days ago

    Leave wikileaks and the followers alone.And everything will be fine.

  4. mehere · 1415 days ago

    Wasn't Wikileaks itself taken down by a DDOS attack in the first place and why it was put on Amazon for a while? Was that illegal?

  5. Dave · 1415 days ago

    I would like to see Wikileaks running without being attacked for helping people to see what should be in the public domain. If someone can come up with an alternative tactic to protect them from people pulling the plug etc. then and only then will I come out against the use of tools like LOIC.

    dAVE

  6. RaveStorm · 1412 days ago

    Dave, I suppose you dont care if your machine is ddosed. Does that not bother you? What about the company you work for... would you like it if you didnt get a paycheck because the system was under attack? I think not.
    People like you propagate people that actually like doing this crap. Lets see how you cry when you are attacked or you dont get a paycheck.
    National Secrets are for good reason. How would you like to be an operative in a foreign land and someone posts your name as an operative and the country you are working in? Does that not scare you? What happens when someone at wikileaks posts the location of say, a nuclear warhead? Dont you think thats a bit over the top? Me personally, I dont want Joe Blow Terrorist to have that information. If you do, then I would consider you to be a terrorist as well, no better than the person or persons that actually commit the crime.
    But, you sit in your nice air conditioned home, watch your big screen tv, and say "nothing will ever happen to me!" You are obviously mislead.

    • Red Saint Lucifer · 1341 days ago

      Ah, a typical brainwashed imbecile, "You don't subscribe to my social norm of sitting and eating government crap, therefore you are against me and all I stand for and out to destroy me"
      In essence, the building blocks of Stagnation.

  7. Some leaks are dangerous............

    As a guide for the perplexed terrorist wondering what to give the West for Christmas, the latest US cable from Wikileaks is a route map. To the evil genius terrorist sitting on a revolving chair whilst stroking a white cat it is of less use given that he already knows a lot of the information therein contained. However, Wikileaks’ gift to Al Quaeda et al is to present them with an expertly compiled list of America's 'critical infrastructure', or to put it another way - list of targets and ideas.

    Wikeleaks’ defence in naming places in the memo is partially that 'it does not give any information as to their exact locations'. Well, perplexed terrorist might have trouble locating 'Quebec: monumental hydroelectric power development Mica Dam’ but evil genius would be able to find it on a map. Ditto 'UK: Madley Teleport, Stone Street, Madley'. That'll be on Stone Street then.

    • TheNarcoleptica · 1318 days ago

      dumb ass evil genius is smart enough to google "power plant locations: US" and get that information, he doesnt need the leaks... god damn are people really that stupid? You are awarded no points.

  8. There are hundreds of locations from the communication cables under the Atlantic between the UK and the USA to a snake bite antidote factory in Australia. All identified by the US as critical to people’s economic and physical safety, and which logically will lead to a terrorist to think about attacking some of the locations which include small and medium sized private companies.

    Wikileaks spokesperson Kristinn Hrafnsson defended the leak saying, "This further undermines claims made by the US Government that its embassy officials do not play an intelligence-gathering role’. But it is part of an embassy's role to provide information back to Washington, sending the State Department a list of places the officials think are important to American interests is hardly James Bond - it’s more ‘Embassy secretary for energy, down the corridor, desk 35, just past the water cooler’ department.

  9. Of course any terrorists worth their Semtex is already aware of a number of potential targets. However, it's doubtful they had access to dozens of embassies, full of experts who could cross refer 'critical infrastructure ' locations, assess their importance, check with other departments if there was back up, and have it compiled in a handy cut out and keep 7 page memo full of useful data which, read carefully could suggest that a multiple attack in region X would have a catastrophic effect. They do now.

  10. Kill 'em all · 1411 days ago

    Freedom of information should have no exceptions and all information should be available to everyone.
    All people are equal so why should someone have the right to decide what we are or are not allowed to know.
    If people dont want to know they dont have to read or listen, but that is their choice for them to make not some government who thinks its in our best interests, when really its just in their best interests to keep information from us.
    The Ddos attacks will happen because of government secrecy and corruption.
    Have full open honesty with complete access to freedom of information and there would be no more attacks.

    • Karasu · 1407 days ago

      All information should be available to everyone? Ok then, here is the information I want from you: Name, date of birth, address, bank account numbers, any other information that could be used to commit identify theft, ruin your life, or jeopardize your safety. But let me guess, you want any information regarding you to be secret, but everyone else and everything else should be fair game...

      Not everyone is created equal. People can say that all they want, but history has proven that to be a lie.

      As to the government deciding what should and shouldn't be known, should we just put everything up for everyone to see? How about the alarm code for your house, or the door code for the flat you live in?

      As to government secrecy and corruption, get over it. It happens everywhere, not just the USA.

      And as to "full open honesty with complete access to freedom of information", all it takes is one person not putting everything out there for everyone else and your whole idea goes to wayside. How about we require religious fanatics to post their attack plans for everyone to read? They sure won't do that. So secrecy on the other side of the equation is required to keep things even.

  11. bobcee · 1409 days ago

    Deep in the recesses of what passes for my mind, I have a thought.

    The reason for the U.S. Govt. getting their knickers in a twist is not fear for the populace.
    It is EMBARRASSMENT!

    All those "Holier than thou", self important fat cats, living off YOUR tax Dollar, have been caught out behaving just the same as the rest of humanity, saying non politically correct things about other fat cats in other nations.

    Can't you just smell the fear in high places that us plebs may get an idea that they are no better or important than we are?

    After all, who pays them, who employs them. Who gets a round up their six when the politicos get it wrong, which they do all too often.

    How can any greasy politico get up on a dais alongside seriously wounded soldiers and try to run out their smarmy, self serving drivel without blushing to the roots of their hair?

    They are not fit to share a podium with those soldiers, let alone speak.

    If these leaks serve to kick the political class into line then we should all dig into our pockets to help in the work.

    By the way, isn't there some sort of IP address annonymising network out there.

    I'll stop the rant now, I need to go for a leak.

  12. jUST · 985 days ago

    INFORMATION is power, plain and simple.

  13. Theresa · 979 days ago

    I have believed for a few years now that the same forces who instituted 9/11 will also blow a nuke up on US soil only this time they will blame Pakistan or Iran. I think that this wikileaks document feeds into those plans setting up a story of blame. I can read the headlines, "Thanks to wikileaks so and so got a bomb and blah blah blah". Who at wikileaks is ensuring they aren't being used as a tool to further the very crap wikileaks purports to be against?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.