WikiLeaks Supporters' Attacks Show Power of Opt-in Botnets

By Brian Prince  |  Posted 2010-12-09

WikiLeaks Supporters' Attacks Show Power of Opt-in Botnets

The WikiLeaks controversy has spilled far beyond discussions of classified documents into the realm of cyber-security, where reports of denial-of-service attacks against everything from MasterCard to PayPal have flooded the press.

Behind those reports, though, is the growing issue of opt-in botnets powered by users who intentionally install software to take part in cyber-attacks. The concept is not new; but such botnets are increasingly being used as a vehicle of protest by hacktivists looking to voice their displeasure.

"Opt-in botnets are a different breed of threat," said Gunter Ollmann, vice president of research at Damballa, who recently wrote a paper on the issue (PDF). "While criminal botnets require the invisible and unauthorized installation of a malware agent - which is generally illegal in most Western countries - 'choosing' to install the software and consenting to be part of a distributed platform is fine."

The software at the center of the attacks by Anonymous - a collection of hackers associated with the 4chan message board - is known as Low Orbit Ion Cannon (LOIC). According to Imperva, LOIC was originally an open source server load testing tool that was co-opted as a manual distributed-denial-of-service (DDoS) tool. As Twitter accounts have been taken offline, a hacker updated LOIC with a module that enables server command and control so that users don't have to think about where to point the attack.

"Operation Payback's ability to challenge serious sites and do that simultaneously is very much coupled to the introduction of the new version with its C&C (command and control) capabilities," said Amichai Shulman, chief technology officer, at Imperva. "My speculation is that due to the substantial increase in downloads it is highly likely this is no longer just a social movement, but also a technical movement like a botnet."

Anyone who wants to sign up for attacks can download LOIC from the Web and configure it to "Hive Mind" to connect to an IRC server, explained Vanja Svajcer, principal virus researcher at Sophos Labs. The attack begins when the nodes in the botnet receive the command from the IRC server.

"The main purpose of (LOIC), allegedly, is to conduct stress tests of the Web applications, so that the developers can see how a Web application behaves under a heavier load," Svajcer blogged. "Of course, a stress application, which could be classified as a legitimate tool, can also be used in a DDoS attack."

"(The tool's) main component is a HTTP flooder module which is configured through the main application window," he continued. "The user can specify several parameters such as host name, IP address and port as well as the URL which will be targeted. The URL can also be pseudo-randomly generated. This feature can be used to evade the attack detection by the target's intrusion prevention systems."

"Using the Hive Mind mode, Anonops can launch attacks on any site, not just the one you voluntarily agreed to target," he added.

Social Networks as a Breeding Ground?

Such tactics are growing in prevalence as hacktivists take their causes to the Web. WikiLeaks itself has been the victim of denial-of-service attacks as well, starting with one that occurred just hours before the site leaked U.S. diplomatic cables. According to Ollmann, the researcher with Damballa, opt-in botnets were involved in cyber-attacks that occurred during the controversial elections in Iran in 2009.

Twitter found itself in the center of discussions during the Iran controversy as many users leveraged the micro-blogging service to organize protests. Its role as a digital gathering ground has continued in the latest WikiLeaks' controversy. Facebook has been at the eye of the storm as well, and recently took down a page associated with Anonymous' "Operation Payback" for violating the social network's terms of service.

The page was disabled because it was being used to organize denial-of-service attacks, Facebook spokesperson Andrew Noyes said. The WikiLeaks page, however, has yet to violate any policies, he noted.

"We haven't received any official requests to disable the WikiLeaks page, or any notification that the articles posted on the page contain unlawful content," he said. "If we did, of course, we would review the material according to our rules and standards, and take it down if appropriate. The mere existence of a WikiLeaks fan page on Facebook doesn't violate any law and we would not take it down just like we don't take down other pages about controversial topics."

He added that Facebook is continuing to monitor the situation.

Joe Stewart, director of malware research at SecureWorks, said it is not fair to ask social networks to take a proactive role in detecting attempts by attackers to coordinate illegal activity because it would be impractical and set a "bad precedent" by forcing providers to spy on their users. If someone reports a terms-of-service violation however, social networks should act appropriately, he said.

The bulk of the members of these groups, Stewart said, "don't realize the level of forensics that can be performed on their computers to show the evidence where and when the (bot) file was manually downloaded - they are just following instructions, and those instructions often suggest that a) you can just claim your computer was infected by a virus and b) if there are thousands of people involved, law enforcement can't arrest everyone."

Traditionally however, the people targeted by law enforcement are the organizers - often using laws related to promoting or endorsing a criminal act, Ollmann told eWEEK.

"As for participants - if there are a lot of individual protest members - it will be difficult for law enforcement to proceed with a case against them beyond a warning," he said.

Still, HD Moore, chief security officer at Rapid7, opined that the people behind the denial-of-service attacks are not helping their cause, and may inadvertently discourage other corporations and banks from doing business with WikiLeaks in the future.

A 16-year-old boy has already reportedly been arrested by Dutch authorities for his involvement in the attacks.

"If you're joining the botnet or the voluntary botnet...your IP address is going to show up in MasterCard's logs and be logged with everybody else who participated...So I hope those folks realize that they may have the FBI knocking on the door in about two months," Moore said.

Rocket Fuel