A poisoned Website is tricking innocent visitors into becoming an unwitting part of the Anonymous DDoS army
Numerous people may unwittingly be assisting Anonymous in its current campaign against the US Department of Justice (DoJ) and various Websites owned by film and music tycoons.
The hacker group has been peppering the sites with DDoS attacks to protest at the downing of the Megaupload file storage site. An international crimebusting team, headed by the DoJ’s Federal Bureau of Investigation (FBI), took over the Megaupload site and arrested many of its organisers.
Expect the unexpected
Anonymous posted the following message: “We Anonymous are launching our largest attack ever on government and music industry sites. Lulz. The FBI didn’t think they would get away with this did they? They should have expected us.”
What nobody expected is the means by which the attacks are being mounted. Apart from Anonymous’ usual tactic of botnet Command and Control (C&C) networks firing spurious data at the targeted servers, the group has found a simple way of covertly enrolling other attackers.
According to Graham Clueley, a Sophos’ Naked Security blogger and senior technology consultant, the group has been relying on natural curiosity to entrap “helpers”. By seeding Twitter with links in tweets, in a number of languages, the inquisitive reader is led to comments on the Pastehtml.com Website. The unsuspecting visitors may not realise it but they have been tricked into allowing their PCs to be used as DDoS bots.
Current targets appear to be the Recording Industry Association of America (RIAA) and Universal Music Group which have ceased to operate, but it has also aimed its guns at the DoJ site and several other digital rights supporters. A new assault on Whitehouse.gov has also been released.
A wall of noise
The trick is aimed at obscuring the Anonymous group’s activities following several arrests of key members last year. Anyone arrested for the current attacks will claim to be unwitting stooges – an argument that has succeeded in the past.
In an attempt to sue various habitual music downloaders, the music industry convinced the courts that IP addresses never lie and that the owners of these addresses must be the guilty party. In May last year, a US judge ruled that an IP address did not equate to a person and the RIAA cases started to fall apart.
At the end of the year the RIAA was embarrassed when its IP addresses were found to be cruising illegal download sites and the organisation had to use the “it was not me, it was a spoofer” defence.
The problem for the involuntary attackers is that DDoS attacks on US government sites are being viewed as terrorist attacks. Anyone caught doing so is liable to prosecution, even UK citizens are likely to be extradited. The accidental terrorist argument may not prove to be sufficient defence.