Researcher Links IRC with Cyber Criminals

Friday, January 14, 2011



In late December a Senior Threat Researcher with McAfee, Francois Paget, raised questions regarding the relationship between purported elements of the Anonymous movement and suspected Russian cyber criminals in a post on the McAfee Labs' blog site.

Paget outlined the series of events that began with attacks on the WikiLeaks site claimed by hackitivist The Jester in late November and culminated with the distributed denial of service (DDoS) attacks against Bank of America by Anonymous.

Through analysis of the chain of events Paget noted that the infamous, which he refers to as "a den of criminals", had become associated with Anonymous activities via the establishment of the IRC.

Paget's December analysis is as follows:

  • The Anonymous group claims to have stopped DDoS attacks
  • The security community sends an alert about a suspicious WikiLeaks mirror site hosted on the dangerous (a den of criminals)
  • Spamhaus suffers DDoS attacks but says neither LOIC nor LOIC-like tools are involved in the attacks
  • In some semiprivate forums AnonOps members deny responsibility
  • A new Anonymous communication network is created in Russia. Ten or so IRC servers are linked to the same
  • One of these IRC servers––drove #operationBoA

Paget followed up his earlier assertions with an article posted Wednesday on the McAfee Labs blog site in which he outlines more evidence supporting is conclusions that there may indeed be links between hacktivists and cyber criminal networks.

Paget lists the IP addresses linked with and their McAfee email reputations:

  • High Risk
  • High Risk
  • Minimal Risk
  • High Risk
  • Minimal Risk
  • High Risk
  • Minimal Risk
  • High Risk
  • High Risk
  • Medium Risk
  • Unverified
  • High Risk

Paget goes on to examine other evidence, including some IRC chats and their relationship to subsequent DDoS attacks against government sites in Zimbabwe.

Rounding out his latest post, and given the weight of the available evidence, Paget again asserts that there may be organized criminal elements involved with some of the operations attributed to the Anonymous movement.

What is not known is whether the association is condoned by the original Anonymous activists, referred to by Paget as the Failship IRC team, or if the international gathering of script-kiddies has been infiltrated to some degree.

Paget states:

"Whenever a big event occurs around the world (earthquake, celebrity death, popular feast day, etc.) cybercrime jumps at the chance to exploit it. And this appears to be the case with WikiLeaks and Anonymous. What an opportunity for criminals to take advantage of a volunteer army eager to take part in a struggle!"

"Are the individuals managing the same as those running operations leakspin, paperstorm, black face, bling, and anonymiss?"


Possibly Related Articles:
McAfee Cyber Crime DDoS Headlines Anonymous Hacktivist Script-Kiddies
Post Rating I Like this!
John bros must watch the researches
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked