Attacks/Breaches
3/19/2012
12:44 PM
50%
50%

Anonymous Linux OS Authors Still A Mystery

SourceForge pulled the Linux OS last week after security experts outlined risks, and regular Anonymous channels denounced it as a Trojan-laden fake. So who's behind it?

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
If you like the hacktivist collective Anonymous, you'll love a new Linux operating system that promises out-of-the box attack capabilities.

That was the pitch for Anonymous-OS, which appeared last week on the popular open-source file distribution site SourceForge. The 1.5-GB distribution file was quickly downloaded more than 26,000 times. According to its anonymous creators, Anonymous-OS was "created for educational purposes, to (sic) checking the security of web pages," They also added: "Please don't use any tool to destroy any Web page."

The operating system was built using version 11.10 of Ubuntu, a free open-source operating system based on the Debian Linux distribution. But it also includes a number of attack-oriented tools, including the Anonymous High Orbit Ion Cannon--an update to the group's Low Orbit Ion Cannon distributed denial of service tool--as well as automated SQL injection tool Havij, and network protocol analyzer Wireshark.

Rik Ferguson, solutions architect for Trend Micro, told the BBC that after running the operating system, he'd found that it was "a functional OS with a bunch of pre-installed tools that can be used for things like looking for [database] vulnerabilities or password cracking," but that he hadn't yet ascertained whether it included malware meant to harm the user. On the whole, however, he said it paled in comparison to Back Track, a well-known version of Linux designed for penetration testing.

Reliable channels of Anonymous-related information, meanwhile, warned people that despite the Anonymous-OS name, it didn't appear to be from the hacktivist group of the same name. "Don't use Anonymous OS, we don't know anything about it and can't vouch for it," read a tweet from YourAnonNews. "The Anon OS is fake it is wrapped in Trojans," read an AnonOps tweet.

[ Hacktivist attacks will continue as long as security weaknesses persist. Are your security practices sufficient? Anonymous Hackers' Helper: IT Security Neglect. ]

In a rare move, the administrators of SourceForge last week suspended the project, meaning that the distribution--which they'd been hosting--can no longer be downloaded, at least from there. "SourceForge, and the Open Source community as a whole, values transparency, particularly where issues of security are involved. This project isn't transparent with regard to what's in it. It is critical that security-related software be completely open to peer review (i.e., by providing source code), so that risks may be assessed along with benefits. That is not available in this case, and the result is that people are taking a substantial risk in downloading and installing this distribution," said the site's administrators via blog post. "Furthermore, by taking an intentionally misleading name, this project has attempted to capitalize on the press surrounding a well-known movement in order to push downloads of a project that is less than a week old."

Rather than canceling the project outright, SourceForge's administrators said they'd contact the project's administrator, seeking answers as to why malicious code--aimed at the operating system's users--had apparently been hidden in the distribution.

In response, the anonymous creators of Anonymous-OS posted to Pastebin what they said was a clean bill of health issued by a Rootkit Hunter (rkhunter) scan of the operating system distribution, "for users where (sic) scared about trojans and dangerous files."

Is Anonymous-OS for real? Timing-wise, the appearance of an Anonymous-themed version of Linux seems like an odd coincidence, especially in the wake of the recent arrests and sentencing of alleged leaders of LulzSec and Anonymous, including Hector Xavier Monsegur (a.k.a. Sabu).

"If I were writing a cybercrime thriller, I might dream up a plot where the computer cops--desperate to know the identities of the hacktivists--concocted a plot where they made available software that promised to hide hackers' identities, but in fact secretly passed information back to the cops," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "Of course, I'm not suggesting that has happened in this case. But stranger things have happened (like the prominent leader of LulzSec turning out to have been secretly working for the FBI since the middle of last year)."

This also isn't the first time that an individual or organization with no evident Anonymous affiliation has attempted to use the name for their own purposes. In the wake of the Megaupload takedown, for example, a new file-sharing service, Anonyupload, promised to provide an anonymous file-sharing platform, just as soon as it had received enough donations to start business. As with Anonymous-OS, regular sources of Anonymous information quickly moved to distance themselves from the upstart venture.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.