Did Anonymous attack the Spamhaus project?

A Russian trying to be Anonymous

A Russian trying to be AnonymousNo, not really… but someone wants you to think so. At least that’s how it’s starting to look. On December 14th, the Spamhaus Project posted a warning to people who are visiting WikiLeaks.org. Spamhaus noticed that the WikiLeaks.org domain had been set up to redirect to mirror.WikiLeaks.info, which is allegedly controlled by Russian criminal gangs.

If you simply want to get to the legitimate WikiLeaks site you can stop reading now and go directly to http://WikiLeaks.ch. Anyway, what Spamhaus had noticed was that the IP addresses and hosting services were part of IP ranges long known to be distributing malware. With all of the publicity and attention WikiLeaks has been receiving, it could be a real threat if the pages were altered to host malicious content.

Normally this would have been the end of it, but on December 15th those behind the WikiLeaks.info site asked the community (presumably Anonymous) to express their opinions about their site being blacklisted (which it wasn’t). Spamhaus got more than a few threats and comments from misinformed folks expressing their desire that WikiLeaks remain available.

On December 18th, a somewhat large DDoS attack began against the Spamhaus servers. Initially it was assumed to be Anonymous and their legion of folks using the LOIC tool. After further investigation, it was found to be PCs that had been hijacked by malware and were being used against their will to attack the Spamhaus services.

Fortunately, Spamhaus has strong defenses against DDoS, as they are regularly targeted by spammers and other members of the criminal underground they seek to expose. Those who commanded the attack are likely those that are hosting both WikiLeaks.info and the command-and-control servers used to instruct large quantities of zombied PCs to do their bidding.

if Spamhaus’s allegations are true, a potential risk apart from infection is that fake WikiLeaks cables/documents could be placed on the site to mislead people into believing just about anything they like. For now, stick with WikiLeaks.ch if you can’t contain your curiosity.

Combining breaking news events with similar or confusing web sites or search results is an ever more common technique to take advantage of innocent surfers. This is just another example of why implementing a strong defense-in-depth security policy related to web surfing can help protect your users from accidentally going somewhere they shouldn’t.

Creative Commons image courtesy of Adam.Zethraeus’s Flickr photostream.