Botnet Operators Set To Join Operation Payback

The distributed denial-of-service (DDoS) attack marathon waged earlier this week by a hacktivist group using volunteers' computer resources to overwhelm high-profile targets could be gaining more dedicated firepower as it refocuses its aim specifically on PayPal.

Organizers of the so-called Operation Payback today asked for and appear to have received additional bots from established botnets to further their cause of disrupting firms they perceive as deterring Internet freedom of speech by not supporting WikiLeaks and its now-incarcerated founder, Julian Assange, according to researchers at Imperva.

Tal Be'ery, Web research team lead for Imperva's Application Defense Center, has been monitoring IRC chats under way by Anonymous and its followers. He says the hacktivist group in the past few hours has asked for botnet operators to donate their botnets to Operation Payback. "The operator of the IRC channel is explicitly asking for people for help and to respond via a private message," Be'ery says.

A few botnet operators have responded that they are willing to offer up their computing resources to the DDoS effort. "We've seen a couple of breaking announcements that, 'I'll donate my 30,000 botnet, my 100,000 botnet to attack PayPal,'" Be'ery says.

Just how many volunteer bots have been deployed thus far in the attacks, which flooded MasterCard, Visa, a Swiss Bank that froze Assange's bank account, the Swedish prosecutor's site, and Sarah Palin's website, is unclear. Imperva's Be'ery estimates it's anywhere from multiple thousands to tens of thousands.

Meanwhile, there's now at least one person is surfacing behind the attacks, and it's a fresh-faced, 16-year-old Dutch boy arrested by authorities in the Netherlands for participating in attacks by Operation Payback that hit PayPal and MasterCard this week. According to Sophos, the teenager is said to have confessed to the attacks, and authorities have seized computers. More arrests are likely, and Dutch press are reporting that two ISPs have been identified as providing service to Anonymous, the group behind the attacks that has recruited the help of volunteer bots.

Security experts say Amazon most likely is next in line as the target of the hacktivists' DDoS ire, but for now it's PayPal fighting to deflect the attackers. Imperva's Be'ery says DDoS traffic appears to be centered on a specific PayPal server, www.irc.paypal, which is likely the heart of the PayPal infrastructure, he says, and possibly a weak link.

UPDATE 12/10/10: In a press release issued this morning, Anonymous says it has not attacked Amazon and that "While it is indeed possible that Anonymous may not have been able to take Amazon.com down in a DDoS attack, this is not the only reason the attack never occured. After the attack was so advertised in the media, we felt that it would affect people such as consumers in a negative way and make them feel threatened by Anonymous. Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste."

Anonymous began to retrench its efforts around 8 a.m. Pacific today, Imperva's Be'ery says, after efforts to go after multiple targets weren't quite so successful and the group realized it didn't have the resources to effectively DDoS all of them. "They said, 'Let's concentrate on PayPal.' They were asking whoever was connected to the central server with the C&C servers," he says. But there are also manual versions of the bot tool they don't have direct control over that had to be persuaded to turn their sights on PayPal, as well, he says.

As of this posting, PayPal's website was still up and running. The plan is now to go after Amazon's site, security experts following the attacks say. "I think Amazon is on deck," says Jose Nazario, senior security researcher for Arbor Networks. "We've been tracking their tools and sharing how to defend against these [DDoS] attacks."

The manual version of the Low Orbit Ion Cannon DDoS bot program is a JavaScript plug-in for users who are queasy about downloading bot code or don't have administrative rights to their machines. "If you're not the admin and you can't download or install software, or you are afraid this is really malware that can take over your computer, then you can use this JavaScript version of it and create a denial-of-service attack with your browser only," Be'ery says.

That version of the bot code has been downloaded 33,780 times since Dec. 1, and 27,981 times in the past 24 hours, according to data from Imperva. The C&C version, which is preferred by Anonymous for the attacks, has been downloaded 39,940 times since Dec. 1.

Meanwhile, Anonymous posted a message on its blog reiterating its purpose: "Anonymous' intentions are very clear. We are not vigilantes, regardless of the sentiment of quoting Boondock Saints, we are people on a campaign for freedom. Anonymous' intentions are to change the current way the governments of the world and the people view true Freedom of Speech and The Internet."

The group was clear that it will go after any organization that doesn't support what it considers the free distribution of information over the Net. "Pay attention citizens, governments, and the world. Anonymous' peaceful campaign will focus on any organization, corporation, government, or entity until the Internet is truly free," the blog says. And the hacktivist group says it doesn't mean to hurt the opposition, just convert it: "Anonymous, at this time, wants to persuade our counterparts rather than hurt them. We are campaigning for freedom for everyone, even the opposing side."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.