The FBI Can Haz Lulz Too...

Thursday, March 15, 2012

Kevin McAleavey

Ba829a6cb97f554ffb0272cd3d6c18a7

Those of you who have been following my articles over the past year have noted my obsession with the Lulz kids, as well as my hopefully instructive information on how their various methods of attack could be mitigated if not stopped completely against the sites you're responsible for.

(Here and here).

And in doing so, I've had many lulz myself pointing out how these kids may have a handful of geniuses providing them with code, scripts and "howtos" but in general, the attackers were neither legion nor terribly smart.

And so with the arrest of Sabu and five other lulzer types, we now get to peel back the curtain and see how clueless these "formidable opponents" truly were, and why I was so often compelled to administer ridicule and spankings here to those site administrators who got pwned during the escapades of the lulzboat and others like them.

Sadly, many have also expressed a sigh of relief that the three hour cruise was finally over, but rest assured that it isn't. They're about to trade in their skiff for a submarine.

Over the years I've worked for government, and in the course of doing so, I've had security clearances due to the work I performed. I've also worked with law enforcement in computer forensics both here and overseas in tracking down various computer criminals and am acutely aware of the rules.

In writing for Infosec Island, I had to be very careful not to step over that line by examining the contents of the WikiLeaks cables, or any other information that could be considered "sensitive" and that has made following the lulzers difficult and limited what I could write about since I expect to some day have to be cleared again in the future.

Back in 1969, I hosted a radio show in New York City and had the "privilege" of receiving a call on my show from Father Daniel Berrigan who didn't like some of the things I was reporting on that show.

As I left the studio, I was accosted by three FBI agents who escorted me down to a building on West Street to be "interviewed" as to his whereabouts. It wasn't a pleasant experience, but it was eventually determined that I really didn't know anything about him or his whereabouts and I was allowed to go home - eventually.

My experience with the rules and procedures when dealing with "spooks" and law enforcement came into play here during the YamaTough episode as well as I was unable to have been of as much help as my own curiosity towards the ongoings would have wanted me to pursue.

I love a good chase, and I love a good story. Especially when it involves mysteries that I've been pretty good at following to the end of the trail. Alas, it's easy to inadvertently mess up an investigation and the powers that be really don't appreciate intelopers. And so I had to respect that.

When "AntiSec" and "LulzSec" became highly visible "doing their thing" so brazenly and openly, I was aghast at how easily the participants were able to be seen in open sight, and in following them on twitter and IRC, I couldn't imagine that they weren't being watched.

Everybody even knew the players, or at least their pseudos and several observers dox'd them. I knew by last fall that Xavier was on the lower east side of Manhattan and expressed amazement that everyone knew who he was, and where he lived and yet ...

By December, I heard more and more discussion suggesting that Sabu had been arrested in June of last year and suspicion that he had "turned." Only made sense to me. But if this was the case, last thing I'd want to do was spread the word.

By January, as the attacks continued with advertisements prior to the attacks after my mentioning here exactly where people could watch them in real time themselves, it became fairly obvious what was going on. At least to me and a few others.

However, the rules of security clearance required that I remain silent about that and continue to write only about the exploits after the fact, how they worked, and by what likely means and repercussions these undertakings meant. I wanted to write more, but I knew not to.

On Wednesday morning, something humorous occurred on the "Youranonnews" feed on twitter within minutes of each other:
 

lulz1


 

lulz2



It would appear that "anonymous" finally figured out the timeline that myself and others did many months ago once we became aware of Sabu actually being arrested!

But it gets better... once those were posted, others quickly assembled an "official timeline" of the events, and it can be seen here in all its glory:


Whoops. :)

So now that they've FINALLY figured it all out, no need for me to hold back any more since it wasn't me who "blew the cover" and I can now rely on "public record" for my claims and share them here.

To add to the fun, since Sabu's arrest back last June, a number of spurious "lulz cannon" tools have been interspersed on tweets, including the infamous LOIC and other tools containing added "call home" code and even some virused "booty" culminating in the latest release of something called "Anonymous OS" (nope, it isn't KNOS) which is "wrapped in trojans" according to tweets from "#Anonymous."

lulzZeus



Couple that with the Zeus trojaned "Slowloris" and numerous other broken tools and the kids are good and paranoid about touching any of these script kiddie tools any more if they don't already have the originals.

So the FBI and all this disinformation are sure to shrink the number of volunteers among the script kiddie crowd, especially given how many have been rounded up based on those "phone home" trojan variations of the tools recently added to their warchests.

But alas, many of those who were in the movement prior to Sabu getting Dox'd still have the original LOIC, HOIC, Slowloris and other tools and they're not tainted.

Some of them even know how to check their TOR session before typing and they're as angry as a beehive that just got hit with a baseball bat and knocked to the ground.

And given the lessons of "don't mouth off in public" those who remain are more dangerous than ever before. They won't be tweeting prior to taking your site down.

BE CAREFUL! Make sure your code is patched and your doors locked! The story doesn't end here. It merely submerges until they regroup with fresh meat and rum.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
6724
Viruses & Malware
Federal
virus malware FBI Anonymous Hacktivist LOIC pwn3d Lulzsec AntiSec trojan Sabu Slowloris
Post Rating I Like this!
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey As the saying goes, "Anonymous consists of a handful of very clever coders and a cast of thousands of idiots."

And we're apparently getting an idea now of how large that "cast of idiots" might actually be ...

So far, over 26,000 downloads of the dodgy "Anonymous OS" according to this article at Global Post:

http://www.globalpost.com/dispatch/news/business-tech/technology-news/120315/anonymous-popular-operating-system-created-virus

Heh. :)
1331855674
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.