12:44 PM

Anonymous Linux OS Authors Still A Mystery

SourceForge pulled the Linux OS last week after security experts outlined risks, and regular Anonymous channels denounced it as a Trojan-laden fake. So who's behind it?

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
If you like the hacktivist collective Anonymous, you'll love a new Linux operating system that promises out-of-the box attack capabilities.

That was the pitch for Anonymous-OS, which appeared last week on the popular open-source file distribution site SourceForge. The 1.5-GB distribution file was quickly downloaded more than 26,000 times. According to its anonymous creators, Anonymous-OS was "created for educational purposes, to (sic) checking the security of web pages," They also added: "Please don't use any tool to destroy any Web page."

The operating system was built using version 11.10 of Ubuntu, a free open-source operating system based on the Debian Linux distribution. But it also includes a number of attack-oriented tools, including the Anonymous High Orbit Ion Cannon--an update to the group's Low Orbit Ion Cannon distributed denial of service tool--as well as automated SQL injection tool Havij, and network protocol analyzer Wireshark.

Rik Ferguson, solutions architect for Trend Micro, told the BBC that after running the operating system, he'd found that it was "a functional OS with a bunch of pre-installed tools that can be used for things like looking for [database] vulnerabilities or password cracking," but that he hadn't yet ascertained whether it included malware meant to harm the user. On the whole, however, he said it paled in comparison to Back Track, a well-known version of Linux designed for penetration testing.

Reliable channels of Anonymous-related information, meanwhile, warned people that despite the Anonymous-OS name, it didn't appear to be from the hacktivist group of the same name. "Don't use Anonymous OS, we don't know anything about it and can't vouch for it," read a tweet from YourAnonNews. "The Anon OS is fake it is wrapped in Trojans," read an AnonOps tweet.

[ Hacktivist attacks will continue as long as security weaknesses persist. Are your security practices sufficient? Anonymous Hackers' Helper: IT Security Neglect. ]

In a rare move, the administrators of SourceForge last week suspended the project, meaning that the distribution--which they'd been hosting--can no longer be downloaded, at least from there. "SourceForge, and the Open Source community as a whole, values transparency, particularly where issues of security are involved. This project isn't transparent with regard to what's in it. It is critical that security-related software be completely open to peer review (i.e., by providing source code), so that risks may be assessed along with benefits. That is not available in this case, and the result is that people are taking a substantial risk in downloading and installing this distribution," said the site's administrators via blog post. "Furthermore, by taking an intentionally misleading name, this project has attempted to capitalize on the press surrounding a well-known movement in order to push downloads of a project that is less than a week old."

Rather than canceling the project outright, SourceForge's administrators said they'd contact the project's administrator, seeking answers as to why malicious code--aimed at the operating system's users--had apparently been hidden in the distribution.

In response, the anonymous creators of Anonymous-OS posted to Pastebin what they said was a clean bill of health issued by a Rootkit Hunter (rkhunter) scan of the operating system distribution, "for users where (sic) scared about trojans and dangerous files."

Is Anonymous-OS for real? Timing-wise, the appearance of an Anonymous-themed version of Linux seems like an odd coincidence, especially in the wake of the recent arrests and sentencing of alleged leaders of LulzSec and Anonymous, including Hector Xavier Monsegur (a.k.a. Sabu).

"If I were writing a cybercrime thriller, I might dream up a plot where the computer cops--desperate to know the identities of the hacktivists--concocted a plot where they made available software that promised to hide hackers' identities, but in fact secretly passed information back to the cops," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "Of course, I'm not suggesting that has happened in this case. But stranger things have happened (like the prominent leader of LulzSec turning out to have been secretly working for the FBI since the middle of last year)."

This also isn't the first time that an individual or organization with no evident Anonymous affiliation has attempted to use the name for their own purposes. In the wake of the Megaupload takedown, for example, a new file-sharing service, Anonyupload, promised to provide an anonymous file-sharing platform, just as soon as it had received enough donations to start business. As with Anonymous-OS, regular sources of Anonymous information quickly moved to distance themselves from the upstart venture.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jamie, the darn Unicorn is back."
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.