Did Anonymous attack the Spamhaus project?

Filed Under: Denial of Service, Law & order, Malware

A Russian trying to be AnonymousNo, not really... but someone wants you to think so. At least that's how it's starting to look. On December 14th, the Spamhaus Project posted a warning to people who are visiting WikiLeaks.org. Spamhaus noticed that the WikiLeaks.org domain had been set up to redirect to mirror.WikiLeaks.info, which is allegedly controlled by Russian criminal gangs.

If you simply want to get to the legitimate WikiLeaks site you can stop reading now and go directly to http://WikiLeaks.ch. Anyway, what Spamhaus had noticed was that the IP addresses and hosting services were part of IP ranges long known to be distributing malware. With all of the publicity and attention WikiLeaks has been receiving, it could be a real threat if the pages were altered to host malicious content.

Normally this would have been the end of it, but on December 15th those behind the WikiLeaks.info site asked the community (presumably Anonymous) to express their opinions about their site being blacklisted (which it wasn't). Spamhaus got more than a few threats and comments from misinformed folks expressing their desire that WikiLeaks remain available.

On December 18th, a somewhat large DDoS attack began against the Spamhaus servers. Initially it was assumed to be Anonymous and their legion of folks using the LOIC tool. After further investigation, it was found to be PCs that had been hijacked by malware and were being used against their will to attack the Spamhaus services.

Fortunately, Spamhaus has strong defenses against DDoS, as they are regularly targeted by spammers and other members of the criminal underground they seek to expose. Those who commanded the attack are likely those that are hosting both WikiLeaks.info and the command-and-control servers used to instruct large quantities of zombied PCs to do their bidding.

if Spamhaus's allegations are true, a potential risk apart from infection is that fake WikiLeaks cables/documents could be placed on the site to mislead people into believing just about anything they like. For now, stick with WikiLeaks.ch if you can't contain your curiosity.

Combining breaking news events with similar or confusing web sites or search results is an ever more common technique to take advantage of innocent surfers. This is just another example of why implementing a strong defense-in-depth security policy related to web surfing can help protect your users from accidentally going somewhere they shouldn't.

Creative Commons image courtesy of Adam.Zethraeus's Flickr photostream.

, , , ,

You might like

5 Responses to Did Anonymous attack the Spamhaus project?

  1. Mark · 1403 days ago

    I'm interested to know how they got hold of the domain. So EveryDNS disabled it and then allowed some Russian crooks to get hold of it? How did that happen?

    • Chester Wisniewski · 1402 days ago

      That is a good question. At the moment it is hard to tell who is in control of the domain name as it is hiding behind "privacy protection". Odd isn't it? Seems like no secrets should be no secrets. Here is a snippet from their WHOIS right now:

      Domain ID:D130035267-LROR
      Domain Name:WIKILEAKS.ORG
      Created On:04-Oct-2006 05:54:19 UTC
      Last Updated On:17-Dec-2010 01:57:59 UTC
      Expiration Date:04-Oct-2018 05:54:19 UTC
      Sponsoring Registrar:Dynadot, LLC (R1266-LROR)
      Status:CLIENT TRANSFER PROHIBITED
      Registrant ID:CP-13000
      Registrant Name:John Shipton c/o Dynadot Privacy
      Registrant Street1:PO Box 701
      Registrant Street2:
      Registrant Street3:
      Registrant City:San Mateo
      Registrant State/Province:CA
      Registrant Postal Code:94401
      Registrant Country:US
      Registrant Phone:+1.6505854708

  2. Sandra · 1403 days ago

    Did you actually find any malware on wikileaks.org or mirror.wikileaks.info? If so which one. As a security company, you should not just reproduce what Spamhaus is saying but test for yourself? Or?

    Regards, Sandra

    • Chester Wisniewski · 1402 days ago

      Data from our labs confirms what Spamhaus has blogged, that this ISP and IP range are controlled by people who seem to make a living from compromising people and hosting undesirable and dangerous content. The official WikiLeaks site does not list this as an official mirror.

      To my knowledge we have not detected any actual malware, but it is a very dangerous neighborhood and it would be safer for people to use the wikileaks.ch site.

  3. jvrudnick · 1403 days ago

    a strong defence is exactly what we all need, Chester!

    great piece....I learned something too about this wikileaks.info site too....

    ;-)

    Jim

    PS so glad that we use Sophos on our servers!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.