The attacks on MasterCard, PayPal and other sites underscore the ties between hacktivism and the growth of opt-in botnets.
The WikiLeaks controversy has spilled far beyond discussions of
classified documents into the realm of cyber-security, where reports
of denial-of-service attacks
against everything from MasterCard to PayPal have flooded the press.
Behind those reports, though, is the growing issue
of opt-in botnets powered by users who intentionally install
software to take part in cyber-attacks. The concept is not new;
but such botnets are increasingly being used as a vehicle of
protest by hacktivists looking to voice their displeasure.
"Opt-in botnets are a different breed of threat," said Gunter Ollmann, vice president of research at Damballa, who recently wrote a paper on the issue
"While criminal botnets require the invisible and unauthorized
installation of a malware agent - which is generally illegal in most
Western countries - 'choosing' to install the software and consenting
to be part of a distributed platform is fine."
The software at the center of the attacks by Anonymous - a
collection of hackers associated with the 4chan message board - is
known as Low Orbit Ion Cannon (LOIC). According to Imperva, LOIC was
originally an open source server load testing tool that was co-opted as
a manual distributed-denial-of-service (DDoS) tool. As Twitter accounts
have been taken offline, a hacker updated LOIC with a module that
enables server command and control so that users don't have to think
about where to point the attack.
"Operation Payback's ability to challenge serious sites and do that
simultaneously is very much coupled to the introduction of the new
version with its C&C (command and control) capabilities," said
Amichai Shulman, chief technology officer, at Imperva. "My speculation
is that due to the substantial increase in downloads it is highly
likely this is no longer just a social movement, but also a technical
movement like a botnet."
Anyone who wants to sign up for attacks can download LOIC from the
Web and configure it to "Hive Mind" to connect to an IRC server, explained Vanja Svajcer
principal virus researcher at Sophos Labs. The attack begins when the
nodes in the botnet receive the command from the IRC server.
"The main purpose of (LOIC), allegedly, is to conduct stress tests
of the Web applications, so that the developers can see how a Web
application behaves under a heavier load," Svajcer blogged. "Of course,
a stress application, which could be classified as a legitimate tool,
can also be used in a DDoS attack."
"(The tool's) main component is a HTTP flooder module which is
configured through the main application window," he continued. "The
user can specify several parameters such as host name, IP address and
port as well as the URL which will be targeted. The URL can also be
pseudo-randomly generated. This feature can be used to evade the attack
detection by the target's intrusion prevention systems."
"Using the Hive Mind mode, Anonops can launch attacks on any site, not just the one you voluntarily agreed to target," he added.