Attacks/Breaches
3/19/2012
12:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous Linux OS Authors Still A Mystery

SourceForge pulled the Linux OS last week after security experts outlined risks, and regular Anonymous channels denounced it as a Trojan-laden fake. So who's behind it?

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
If you like the hacktivist collective Anonymous, you'll love a new Linux operating system that promises out-of-the box attack capabilities.

That was the pitch for Anonymous-OS, which appeared last week on the popular open-source file distribution site SourceForge. The 1.5-GB distribution file was quickly downloaded more than 26,000 times. According to its anonymous creators, Anonymous-OS was "created for educational purposes, to (sic) checking the security of web pages," They also added: "Please don't use any tool to destroy any Web page."

The operating system was built using version 11.10 of Ubuntu, a free open-source operating system based on the Debian Linux distribution. But it also includes a number of attack-oriented tools, including the Anonymous High Orbit Ion Cannon--an update to the group's Low Orbit Ion Cannon distributed denial of service tool--as well as automated SQL injection tool Havij, and network protocol analyzer Wireshark.

Rik Ferguson, solutions architect for Trend Micro, told the BBC that after running the operating system, he'd found that it was "a functional OS with a bunch of pre-installed tools that can be used for things like looking for [database] vulnerabilities or password cracking," but that he hadn't yet ascertained whether it included malware meant to harm the user. On the whole, however, he said it paled in comparison to Back Track, a well-known version of Linux designed for penetration testing.

Reliable channels of Anonymous-related information, meanwhile, warned people that despite the Anonymous-OS name, it didn't appear to be from the hacktivist group of the same name. "Don't use Anonymous OS, we don't know anything about it and can't vouch for it," read a tweet from YourAnonNews. "The Anon OS is fake it is wrapped in Trojans," read an AnonOps tweet.

[ Hacktivist attacks will continue as long as security weaknesses persist. Are your security practices sufficient? Anonymous Hackers' Helper: IT Security Neglect. ]

In a rare move, the administrators of SourceForge last week suspended the project, meaning that the distribution--which they'd been hosting--can no longer be downloaded, at least from there. "SourceForge, and the Open Source community as a whole, values transparency, particularly where issues of security are involved. This project isn't transparent with regard to what's in it. It is critical that security-related software be completely open to peer review (i.e., by providing source code), so that risks may be assessed along with benefits. That is not available in this case, and the result is that people are taking a substantial risk in downloading and installing this distribution," said the site's administrators via blog post. "Furthermore, by taking an intentionally misleading name, this project has attempted to capitalize on the press surrounding a well-known movement in order to push downloads of a project that is less than a week old."

Rather than canceling the project outright, SourceForge's administrators said they'd contact the project's administrator, seeking answers as to why malicious code--aimed at the operating system's users--had apparently been hidden in the distribution.

In response, the anonymous creators of Anonymous-OS posted to Pastebin what they said was a clean bill of health issued by a Rootkit Hunter (rkhunter) scan of the operating system distribution, "for users where (sic) scared about trojans and dangerous files."

Is Anonymous-OS for real? Timing-wise, the appearance of an Anonymous-themed version of Linux seems like an odd coincidence, especially in the wake of the recent arrests and sentencing of alleged leaders of LulzSec and Anonymous, including Hector Xavier Monsegur (a.k.a. Sabu).

"If I were writing a cybercrime thriller, I might dream up a plot where the computer cops--desperate to know the identities of the hacktivists--concocted a plot where they made available software that promised to hide hackers' identities, but in fact secretly passed information back to the cops," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "Of course, I'm not suggesting that has happened in this case. But stranger things have happened (like the prominent leader of LulzSec turning out to have been secretly working for the FBI since the middle of last year)."

This also isn't the first time that an individual or organization with no evident Anonymous affiliation has attempted to use the name for their own purposes. In the wake of the Megaupload takedown, for example, a new file-sharing service, Anonyupload, promised to provide an anonymous file-sharing platform, just as soon as it had received enough donations to start business. As with Anonymous-OS, regular sources of Anonymous information quickly moved to distance themselves from the upstart venture.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.