No, not really... but someone wants you to think so. At least that's how it's starting to look. On December 14th, the Spamhaus Project posted a warning to people who are visiting WikiLeaks.org. Spamhaus noticed that the WikiLeaks.org domain had been set up to redirect to mirror.WikiLeaks.info, which is allegedly controlled by Russian criminal gangs.
If you simply want to get to the legitimate WikiLeaks site you can stop reading now and go directly to http://WikiLeaks.ch. Anyway, what Spamhaus had noticed was that the IP addresses and hosting services were part of IP ranges long known to be distributing malware. With all of the publicity and attention WikiLeaks has been receiving, it could be a real threat if the pages were altered to host malicious content.
Normally this would have been the end of it, but on December 15th those behind the WikiLeaks.info site asked the community (presumably Anonymous) to express their opinions about their site being blacklisted (which it wasn't). Spamhaus got more than a few threats and comments from misinformed folks expressing their desire that WikiLeaks remain available.
On December 18th, a somewhat large DDoS attack began against the Spamhaus servers. Initially it was assumed to be Anonymous and their legion of folks using the LOIC tool. After further investigation, it was found to be PCs that had been hijacked by malware and were being used against their will to attack the Spamhaus services.
Fortunately, Spamhaus has strong defenses against DDoS, as they are regularly targeted by spammers and other members of the criminal underground they seek to expose. Those who commanded the attack are likely those that are hosting both WikiLeaks.info and the command-and-control servers used to instruct large quantities of zombied PCs to do their bidding.
if Spamhaus's allegations are true, a potential risk apart from infection is that fake WikiLeaks cables/documents could be placed on the site to mislead people into believing just about anything they like. For now, stick with WikiLeaks.ch if you can't contain your curiosity.
Combining breaking news events with similar or confusing web sites or search results is an ever more common technique to take advantage of innocent surfers. This is just another example of why implementing a strong defense-in-depth security policy related to web surfing can help protect your users from accidentally going somewhere they shouldn't.
Creative Commons image courtesy of Adam.Zethraeus's Flickr photostream.
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
![Hacked TV channels broadcast zombie apocalypse emergency alert [VIDEO]](http://sophosnews.files.wordpress.com/2013/02/zombie-thumb.jpg?w=75&h=75&crop=1)
I'm interested to know how they got hold of the domain. So EveryDNS disabled it and then allowed some Russian crooks to get hold of it? How did that happen?
That is a good question. At the moment it is hard to tell who is in control of the domain name as it is hiding behind "privacy protection". Odd isn't it? Seems like no secrets should be no secrets. Here is a snippet from their WHOIS right now:
Domain ID:D130035267-LROR
Domain Name:WIKILEAKS.ORG
Created On:04-Oct-2006 05:54:19 UTC
Last Updated On:17-Dec-2010 01:57:59 UTC
Expiration Date:04-Oct-2018 05:54:19 UTC
Sponsoring Registrar:Dynadot, LLC (R1266-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:CP-13000
Registrant Name:John Shipton c/o Dynadot Privacy
Registrant Street1:PO Box 701
Registrant Street2:
Registrant Street3:
Registrant City:San Mateo
Registrant State/Province:CA
Registrant Postal Code:94401
Registrant Country:US
Registrant Phone:+1.6505854708
Did you actually find any malware on wikileaks.org or mirror.wikileaks.info? If so which one. As a security company, you should not just reproduce what Spamhaus is saying but test for yourself? Or?
Regards, Sandra
Data from our labs confirms what Spamhaus has blogged, that this ISP and IP range are controlled by people who seem to make a living from compromising people and hosting undesirable and dangerous content. The official WikiLeaks site does not list this as an official mirror.
To my knowledge we have not detected any actual malware, but it is a very dangerous neighborhood and it would be safer for people to use the wikileaks.ch site.
a strong defence is exactly what we all need, Chester!
great piece....I learned something too about this wikileaks.info site too....
;-)
Jim
PS so glad that we use Sophos on our servers!!!