Attacks/Breaches
12/9/2010
04:38 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Botnet Operators Set To Join Operation Payback

'Anonymous' hacker group now focusing DDoS attack energy onto PayPal

The distributed denial-of-service (DDoS) attack marathon waged earlier this week by a hacktivist group using volunteers' computer resources to overwhelm high-profile targets could be gaining more dedicated firepower as it refocuses its aim specifically on PayPal.

Organizers of the so-called Operation Payback today asked for and appear to have received additional bots from established botnets to further their cause of disrupting firms they perceive as deterring Internet freedom of speech by not supporting WikiLeaks and its now-incarcerated founder, Julian Assange, according to researchers at Imperva.

Tal Be'ery, Web research team lead for Imperva's Application Defense Center, has been monitoring IRC chats under way by Anonymous and its followers. He says the hacktivist group in the past few hours has asked for botnet operators to donate their botnets to Operation Payback. "The operator of the IRC channel is explicitly asking for people for help and to respond via a private message," Be'ery says.

A few botnet operators have responded that they are willing to offer up their computing resources to the DDoS effort. "We've seen a couple of breaking announcements that, 'I'll donate my 30,000 botnet, my 100,000 botnet to attack PayPal,'" Be'ery says.

Just how many volunteer bots have been deployed thus far in the attacks, which flooded MasterCard, Visa, a Swiss Bank that froze Assange's bank account, the Swedish prosecutor's site, and Sarah Palin's website, is unclear. Imperva's Be'ery estimates it's anywhere from multiple thousands to tens of thousands.

Meanwhile, there's now at least one person is surfacing behind the attacks, and it's a fresh-faced, 16-year-old Dutch boy arrested by authorities in the Netherlands for participating in attacks by Operation Payback that hit PayPal and MasterCard this week. According to Sophos, the teenager is said to have confessed to the attacks, and authorities have seized computers. More arrests are likely, and Dutch press are reporting that two ISPs have been identified as providing service to Anonymous, the group behind the attacks that has recruited the help of volunteer bots.

Security experts say Amazon most likely is next in line as the target of the hacktivists' DDoS ire, but for now it's PayPal fighting to deflect the attackers. Imperva's Be'ery says DDoS traffic appears to be centered on a specific PayPal server, www.irc.paypal, which is likely the heart of the PayPal infrastructure, he says, and possibly a weak link.

UPDATE 12/10/10: In a press release issued this morning, Anonymous says it has not attacked Amazon and that "While it is indeed possible that Anonymous may not have been able to take Amazon.com down in a DDoS attack, this is not the only reason the attack never occured. After the attack was so advertised in the media, we felt that it would affect people such as consumers in a negative way and make them feel threatened by Anonymous. Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste."

Anonymous began to retrench its efforts around 8 a.m. Pacific today, Imperva's Be'ery says, after efforts to go after multiple targets weren't quite so successful and the group realized it didn't have the resources to effectively DDoS all of them. "They said, 'Let's concentrate on PayPal.' They were asking whoever was connected to the central server with the C&C servers," he says. But there are also manual versions of the bot tool they don't have direct control over that had to be persuaded to turn their sights on PayPal, as well, he says.

As of this posting, PayPal's website was still up and running. The plan is now to go after Amazon's site, security experts following the attacks say. "I think Amazon is on deck," says Jose Nazario, senior security researcher for Arbor Networks. "We've been tracking their tools and sharing how to defend against these [DDoS] attacks."

The manual version of the Low Orbit Ion Cannon DDoS bot program is a JavaScript plug-in for users who are queasy about downloading bot code or don't have administrative rights to their machines. "If you're not the admin and you can't download or install software, or you are afraid this is really malware that can take over your computer, then you can use this JavaScript version of it and create a denial-of-service attack with your browser only," Be'ery says.

That version of the bot code has been downloaded 33,780 times since Dec. 1, and 27,981 times in the past 24 hours, according to data from Imperva. The C&C version, which is preferred by Anonymous for the attacks, has been downloaded 39,940 times since Dec. 1.

Meanwhile, Anonymous posted a message on its blog reiterating its purpose: "Anonymous' intentions are very clear. We are not vigilantes, regardless of the sentiment of quoting Boondock Saints, we are people on a campaign for freedom. Anonymous' intentions are to change the current way the governments of the world and the people view true Freedom of Speech and The Internet."

The group was clear that it will go after any organization that doesn't support what it considers the free distribution of information over the Net. "Pay attention citizens, governments, and the world. Anonymous' peaceful campaign will focus on any organization, corporation, government, or entity until the Internet is truly free," the blog says. And the hacktivist group says it doesn't mean to hurt the opposition, just convert it: "Anonymous, at this time, wants to persuade our counterparts rather than hurt them. We are campaigning for freedom for everyone, even the opposing side."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web