WikiLeaks Supporters' Attacks Show Power of Opt-in Botnets

The attacks on MasterCard, PayPal and other sites underscore the ties between hacktivism and the growth of opt-in botnets.

The WikiLeaks controversy has spilled far beyond discussions of classified documents into the realm of cyber-security, where reports of denial-of-service attacks against everything from MasterCard to PayPal have flooded the press.

Behind those reports, though, is the growing issue of opt-in botnets powered by users who intentionally install software to take part in cyber-attacks. The concept is not new; but such botnets are increasingly being used as a vehicle of protest by hacktivists looking to voice their displeasure.

"Opt-in botnets are a different breed of threat," said Gunter Ollmann, vice president of research at Damballa, who recently wrote a paper on the issue (PDF). "While criminal botnets require the invisible and unauthorized installation of a malware agent - which is generally illegal in most Western countries - 'choosing' to install the software and consenting to be part of a distributed platform is fine."

The software at the center of the attacks by Anonymous - a collection of hackers associated with the 4chan message board - is known as Low Orbit Ion Cannon (LOIC). According to Imperva, LOIC was originally an open source server load testing tool that was co-opted as a manual distributed-denial-of-service (DDoS) tool. As Twitter accounts have been taken offline, a hacker updated LOIC with a module that enables server command and control so that users don't have to think about where to point the attack.

"Operation Payback's ability to challenge serious sites and do that simultaneously is very much coupled to the introduction of the new version with its C&C (command and control) capabilities," said Amichai Shulman, chief technology officer, at Imperva. "My speculation is that due to the substantial increase in downloads it is highly likely this is no longer just a social movement, but also a technical movement like a botnet."

Anyone who wants to sign up for attacks can download LOIC from the Web and configure it to "Hive Mind" to connect to an IRC server, explained Vanja Svajcer, principal virus researcher at Sophos Labs. The attack begins when the nodes in the botnet receive the command from the IRC server.

"The main purpose of (LOIC), allegedly, is to conduct stress tests of the Web applications, so that the developers can see how a Web application behaves under a heavier load," Svajcer blogged. "Of course, a stress application, which could be classified as a legitimate tool, can also be used in a DDoS attack."

"(The tool's) main component is a HTTP flooder module which is configured through the main application window," he continued. "The user can specify several parameters such as host name, IP address and port as well as the URL which will be targeted. The URL can also be pseudo-randomly generated. This feature can be used to evade the attack detection by the target's intrusion prevention systems."

"Using the Hive Mind mode, Anonops can launch attacks on any site, not just the one you voluntarily agreed to target," he added.