The bots Unveillance had sinkholed are Qakbot-infected machines as well as some Mariposa-infected machines, which could have been a treasure trove of botnet firepower for the hacking group, security experts say. Qakbot is a Trojan that spreads like a worm, and its goal is to steal financial accounts and ultimately help siphon money. The botnet has been spotted on the rise, most recently infecting 1,500 Massachusetts state PCs and possibly exposing personal information of some 250,000 state residents.
Karim Hijazi, CEO and president at Unveillance, which uses sinkhole servers to pose as botnet servers that capture communique from orphaned bots, says his firm controls a large portion of the Qakbot botnet's command-and-control infrastructure via its sinkhole servers. "I believe [LulzSec] wanted it for use for a variety of reasons," Hijazi says. "Fraud, information-stealing, reverse-proxy, [etc.]."
In addition, Unveillance sinkholed some Mariposa bots, which LulzSec was also interested in obtaining. Although law enforcement controls the Mariposa command-and-control servers themselves, there are still plenty of machines worldwide infected with the bot malware. "We still see over 4 million events/communications from infected machines part of Mariposa per hour and over 100,000 unique IP addresses an hour," Hijazi says.
LulzSec wanted Mariposa for DDoS purposes, says Pedro Bustamante, senior research adviser for Panda Security. "It’s important to note that even if LulzSec [was able] to completely hack Unveillance and take over their systems, this will not have an impact on LulzSec getting access to the Mariposa botnet," Bustamante says. "The reason is that the DNS records for the Mariposa command-and-control servers are under the control of law enforcement, and are only being redirected to Unveillance for sinkholing purposes ... we can change the DNS records for the main C&C domains and point them somewhere else as to minimize the impact" of any theft of those existing Mariposa bots, he says.
Clues to LulzSec's botnet intentions began to surface last month, when Unveillance discovered some unusual traffic patterns around its network. On May 25, Hijazi noticed something funny was going on with his email account as well. "An email I saw on my phone was showing as already-read on my computer," even though he had not opened the message yet, he recalls.
Minutes later, he witnessed an email in his inbox go from "unread" to "read" and then back to "unread" again. "That was a really compelling event," he says. Between that and the unusual traffic trying to get past Unveillance's firewalls, something was definitely going amiss: "It was lockdown time," he says.
In the wee hours of the morning, Hijazi received an email with his Infragard password in the subject line, and a message asking if he wanted "to talk," and signed "Love, Friends." He gathered his team at 4:30 a.m., and they began brainstorming and shoring up security.
It wasn't until later in an online chat with the hackers that Hijazi learned what the attackers really wanted: "They ... [were] saying, 'We want your botnet information' or they would 'dox' us," he says. Among their demands was Qakbot information and its sinkholes: "They wanted [me] to convey ownership of the domain for DDoS'ing. They wanted command and control of those DDoS botnets," Hijazi says.
When Hijazi refused, they demanded money, but he replied that his firm was a start-up and didn't have any money. "On Friday, they dumped my emails online, and InfraGard was taken down," he says.
While Anonymous -- from which LulzSec originally spun off -- has been best known for using "crowdsource" distributed denial-of-service (DDoS) attacks using the Low Orbit Ion Cannon (LOIC) tool, the group also has relied on established botnets to take down websites it targets.
Meanwhile, Hijazi says the AntiSec operation headed by Anonymous is hosting a new hacker training school via an IRC chat room for new recruits. "New information about their 'new' AntiSecPro hacker training school shows intent to use the ZeuS source code to train new recruits [bot-herders] how to compile and deploy a ZeuS botnet," Hijazi says.
Aside from the Zeus training and offering source code for Zeus 22.214.171.124, the "#school4lulz" training includes language injection via HTTP, IDS evasion, SQL injection techniques, botnet C&C protocol selection, takeover mitigation, social engineering skills, war-driving, and how to find an individual's personal information online, Unveillance says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.