The distributed denial-of-service attack that knocked Spamhaus offline came from a real botnet controlled by Russian criminals, and was not an Operation Payback operation by the Anonymous group.
A distributed denial-of-service attack against anti-spam group Spamhaus has
provided evidence that cyber-criminals have found a new target: WikiLeaks
supporters. The cyber-criminals have combined the intense interest over
WikiLeaks with a misleading domain name to trick users into going to a fake
site, security researchers said.
Spamhaus was hit by DDoS attack on Dec. 18. Since the group had come under
fire from WikiLeaks supporters for warning that wikileaks.info was under the
control of a Russian host known for hosting malware and phishing sites,
Spamhaus and other security researchers naturally thought it was a retaliatory
attack from Anonymous.
In a message to the North American Network
Operators' Group mailing list
during the attack, Steve Linford, founder of
Spamhaus wrote, "We're not saying 'Don't go to WikiLeaks.' We're saying 'Use
the wikileaks.ch server instead.'"
After further analysis of its logs on Dec. 20, Spamhaus
corrected its earlier statement in an update, reporting the attacks were from a
professional botnet and not from the point-and-click LOIC (Low Orbit Ion
Cannon) tool that Anonymous uses for its DDoS attacks.
The entire saga began Dec. 14 when Spamhaus issued a warning
that the previously defunct wikileaks.org site was redirecting to a mirror on
the wikileaks.info domain, which was actually being hosted by a Russian
bullet-proof host Webalta. The host has often been associated with phishing,
banking fraud, stolen credit card information and malware, according to
Spamhaus. The main .org site has been offline ever since the site's U.S.-based DNS
provider withdrew services
earlier this month.
Chester Wisniewski, a senior security adviser at Sophos,
wrote on the Naked
that it was not clear how the Russian host had gotten control
over that .org site.
Spamhaus advised users to use a safer URL, such as the
current official home of WikiLeaks, at wikileaks.ch, or one of the official
mirrors listed on the site. The .info site was not listed as an official mirror
even though it was displaying WikiLeaks documents and it could have become a "real
threat" if the pages had actually hosted malicious content, wrote
Trend Micro also issued a similar warning, saying, "No
matter what your political view is, this is rather disturbing." The
security firm assigned a low reputation score to wikileaks.info "not
because of political controversy" but because of the "bad
" where the domain is hosted.
Even though Sophos has not found any malware, it would be
safer to use the wikileaks.ch site instead, said Wisniewski.
On Dec. 15, a press release with a WikiLeaks logo on the
main page of the .info site claimed the information from Spamhaus was
"false" and "none of [Spamhaus'] business," and called on
supporters to "voice their concern" about the warnings, in a clear
reference to Operation
, according to Linford.
As the logs vindicate Anonymous, Spamhaus conceded that
it identified the attacker but not the reasons for attack. The anti-spam outfit
now believes the attacks came from the Russia-based Heihachi group, which
resells Webalta services. Heihachi controls enough botnets for the attack and
may have retaliated after being unmasked, said Spamhaus.
The attack must have been fairly substantial to actually
knock Spamhaus offline, as the organization faces DDoS attacks on an almost
daily basis, most of which it is able to handle without trouble. That should
have been the first clue this was not an Anonymous operation, as the group can't
come up with that kind of firepower.
A "vigilante DDoS attack" of several hundreds
of machines using LOIC can't do a lot of damage to sites that are built to
withstand attacks. Instead, a "botnet of millions of machines" would
be needed, according to Jason Hoffman, co-founder and chief scientist at
After the DDoS attack, Anonymous also denied
responsibility, according to a Spamhaus statement on its site. The statement also
claimed many of the members were distancing themselves from those who had
promoted the attack.
"Our old domain name, AnonOps.net, did indeed reside
on the Heihachi network; however, this does not mean that we are related in any
way to an attack carried out by one of Heihachi's partners or customers,"
Anonymous said in a letter to Spamhaus.
The other potential risk apart from malware is that the
fake site can post "fake WikiLeaks documents" that could "mislead
people into believe just about anything they like," said Wisniewski.
"Currently wikileaks.info is serving highly
sensitive leaked documents to the world, from a server fully controlled by
Russian malware cyber-criminals, to an audience that faithfully believes
anything with a 'Wikileaks' logo on it," Linford wrote.