12:44 PM
Connect Directly

Anonymous Linux OS Authors Still A Mystery

SourceForge pulled the Linux OS last week after security experts outlined risks, and regular Anonymous channels denounced it as a Trojan-laden fake. So who's behind it?

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
If you like the hacktivist collective Anonymous, you'll love a new Linux operating system that promises out-of-the box attack capabilities.

That was the pitch for Anonymous-OS, which appeared last week on the popular open-source file distribution site SourceForge. The 1.5-GB distribution file was quickly downloaded more than 26,000 times. According to its anonymous creators, Anonymous-OS was "created for educational purposes, to (sic) checking the security of web pages," They also added: "Please don't use any tool to destroy any Web page."

The operating system was built using version 11.10 of Ubuntu, a free open-source operating system based on the Debian Linux distribution. But it also includes a number of attack-oriented tools, including the Anonymous High Orbit Ion Cannon--an update to the group's Low Orbit Ion Cannon distributed denial of service tool--as well as automated SQL injection tool Havij, and network protocol analyzer Wireshark.

Rik Ferguson, solutions architect for Trend Micro, told the BBC that after running the operating system, he'd found that it was "a functional OS with a bunch of pre-installed tools that can be used for things like looking for [database] vulnerabilities or password cracking," but that he hadn't yet ascertained whether it included malware meant to harm the user. On the whole, however, he said it paled in comparison to Back Track, a well-known version of Linux designed for penetration testing.

Reliable channels of Anonymous-related information, meanwhile, warned people that despite the Anonymous-OS name, it didn't appear to be from the hacktivist group of the same name. "Don't use Anonymous OS, we don't know anything about it and can't vouch for it," read a tweet from YourAnonNews. "The Anon OS is fake it is wrapped in Trojans," read an AnonOps tweet.

[ Hacktivist attacks will continue as long as security weaknesses persist. Are your security practices sufficient? Anonymous Hackers' Helper: IT Security Neglect. ]

In a rare move, the administrators of SourceForge last week suspended the project, meaning that the distribution--which they'd been hosting--can no longer be downloaded, at least from there. "SourceForge, and the Open Source community as a whole, values transparency, particularly where issues of security are involved. This project isn't transparent with regard to what's in it. It is critical that security-related software be completely open to peer review (i.e., by providing source code), so that risks may be assessed along with benefits. That is not available in this case, and the result is that people are taking a substantial risk in downloading and installing this distribution," said the site's administrators via blog post. "Furthermore, by taking an intentionally misleading name, this project has attempted to capitalize on the press surrounding a well-known movement in order to push downloads of a project that is less than a week old."

Rather than canceling the project outright, SourceForge's administrators said they'd contact the project's administrator, seeking answers as to why malicious code--aimed at the operating system's users--had apparently been hidden in the distribution.

In response, the anonymous creators of Anonymous-OS posted to Pastebin what they said was a clean bill of health issued by a Rootkit Hunter (rkhunter) scan of the operating system distribution, "for users where (sic) scared about trojans and dangerous files."

Is Anonymous-OS for real? Timing-wise, the appearance of an Anonymous-themed version of Linux seems like an odd coincidence, especially in the wake of the recent arrests and sentencing of alleged leaders of LulzSec and Anonymous, including Hector Xavier Monsegur (a.k.a. Sabu).

"If I were writing a cybercrime thriller, I might dream up a plot where the computer cops--desperate to know the identities of the hacktivists--concocted a plot where they made available software that promised to hide hackers' identities, but in fact secretly passed information back to the cops," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "Of course, I'm not suggesting that has happened in this case. But stranger things have happened (like the prominent leader of LulzSec turning out to have been secretly working for the FBI since the middle of last year)."

This also isn't the first time that an individual or organization with no evident Anonymous affiliation has attempted to use the name for their own purposes. In the wake of the Megaupload takedown, for example, a new file-sharing service, Anonyupload, promised to provide an anonymous file-sharing platform, just as soon as it had received enough donations to start business. As with Anonymous-OS, regular sources of Anonymous information quickly moved to distance themselves from the upstart venture.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

Published: 2014-08-30
The Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-08-29 in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.