TechWeekEurope is invited into an Anonymous team’s IRC session to learn about the group’s aims and watch its big botnets in action
There have been some notable attacks on UK public sector websites this week. Home secretary Theresa May had her site taken down from Sunday night to Monday morning. Then the Information Commissioner’s Office (ICO) saw its site taken offline for a large chunk of yesterday – and at the time of publication it was down again.
In both cases, distributed denial of service (DDoS) attacks were suspected. In both cases, an Anonymous splinter group, the ATeam, took responsibility, claiming the publicity prize.
TechWeekEurope was invited onto an Anonymous IRC session with the group yesterday, whilst the ICO website was going up and down like a yo-yo. Online were Winston Smith, who is “the voice” of the group, and AnonSkill, one of the group’s two “security leads”. The invite came as the group sought to improve its reputation, saying some have tried to make Anonymous seem like a band of terrorists.
Throughout the chat, notices came from AnonSkill saying when he had disabled the ICO website. The claims were plausible, as his announcements coincided with times when the ICO site was down. No warning was given on hits, just confirmation when the site was down.
But how were they doing it? “I am using a botnet, self-coded, which contains well over 10,000 bots,” AnonSkill explained. According to Smith, the group is harnessing the power of two sizeable botnets comprised of end user PCs willingly or unwillingly given over to the use of the team’s attacks. One botnet has 10,000 bots, another has 50,000, said Smith.
I like big bots, I cannot lie
Where were AnonSkill’s bots coming from though? It appears he has been recruiting people’s machines without their knowledge via drive-by download attacks. “I can’t really say where, but they are from places I visit, and just from public websites, in which people download my file,” AnonSkill explained. “None of which participated or actually were willing to be part of my botnet, no. They downloaded a file/used my file, not knowing it was malware.”
The actual initiation of the DDoS is unsurprisingly simple. “I select the target, then proceed to check all connections are secure, then I make sure the bots are ready, the attack engages, and then it’s all over,” AnonSkill said. Other details on the ICO attack emerged during the chat, with AnonSkill saying it appeared the ICO had brought in two fresh servers to cope with the hit, which “completely failed them”. He said he was going after “all servers” not just a select number of IPs.
Perhaps Smith (pictured left) is not bothered about being a prominent face because he isn’t the one carrying out the attacks or managing the DDoS strikes. Under the eyes of the law, he may not have done anything wrong. He also claimed he has one over on the police, saying he complained of computer misuse against him but the police did nothing to help him.
AnonSkill, perhaps wisely, revealed little about himself. He claimed responsibility for the recent DDoS on Virgin Media, after which he received an invite into the ATeam. “We liked what he could do,” said Smith. “So he was invited, joint security lead.”
“I was not in any other groups but I was massively involved in operations, such as #OpDefense, #OpIndia #OpGreece, etc. ‘Heavily involved’, meaning, I took the targets down whenever they came to me,” AnonSkill added.
He acknowledged support in this role from DwayneV1x, the other security lead. Between them they initiate attacks with their thousands of bots and 50 servers, which they bought using their own money. AnonSkill said he had spent £4000 since joining the Ateam, claiming he had “a steady income” to support such big spending.
As for the make-up of the small collective, it appears to consist of 10 people, all of whom are thought to be in their 30s and 40s. The group isn’t keen on youngsters taking part. It recently launched a campaign against the “grooming” of teenagers by Anonymous teams. Smith said it doesn’t want to recruit any more members either. “Every time we try, we end up with a nut case,” he said. “Or someone who takes self-credit, not as a group,” AnonSkill added.
Politics is the key for the ATeam. It believes in a defined strategy of picking a political point, then choosing the targets before carrying out an attack. There are those who see DDoS as a cynical form of protest, however, effectively censoring a website and committing an act against freedom of speech. To many, this is incongruous with Anonymous’ “freedom of the internet” ethos.
“We can achieve a lot with a DDoS attack,” AnonSkill claimed. “For example, if a business website was taken down, and that’s the only way they can make their money, their business is temporarily over.” Yet the group doesn’t go after businesses, Smith said, only political targets. Is this another contradiction?
After the IRC chat, Smith explained a little more about what he thinks DDoS can do. “The attacks are purely to bring publicity,” he said. “The publicity from the attacks allows us to focus the public on corruption. If we did not attack then we would not be able to make people aware of the corruption.” Once it has gained attention through DDoS hits, the group wants to release “evidence of corruption”.
Smith claimed to have some juicy information on the ICO, which the group plans to release this week. But other Anonymous groups have threatened to publish revealing data before and failed to follow through. If the ATeam does come out with some genuinely interesting stuff on the data protection watchdog, it may make more of a name for itself. That’s something that is key for the group right now.
More importantly for the group though, it might make a real political impact. DDoS attacks get publicity, but the ATeam can’t rely on them to make its presence felt amongst those it wants to influence.
Legitimate protests carried out in public may prove far more effective. They might help keep Anonymous, which the ATeam believes is “destroying itself”, relevant.
Think you’re a security guru? Try our quiz!