Showing posts with label LOIC. Show all posts
Showing posts with label LOIC. Show all posts

BotTorrent: A new paradigm in hacktivism?

The Low Orbit Ion Cannon, or LOIC, is a popular tool for taking down websites these days. It was used on Visa, Master Card, Paypal and other institutions by "Anonymous" hacktivists.

A new weapon of mass awareness is in the horizon, however, that may very well step up the severity and efficiency of these attacks. If effective, it will set into motion attacks originating from thousands of computers worldwide. The difference? End-users will not necessarily know they are participating in the attacks.

Thought BitTorrent was just about downloading movies and TV shows? Think again: The BitTorrent protocol can be abused to initiate massive denial of service attacks, which could be used to take down large-scale websites. This exploit is based on BitTorrent’s ability to download data without the help of any centralized server, also known as trackerless BitTorrent. Here's how it would work.

A home user navigates to a torrent search engine to download a popular file (a film or TV show, for instance).The file may have several thousands of leechers or seeders; these numbers may increase to the hundreds of thousands in some cases, depending on the popularity of the file. For simplicity, think of each leecher as one computer attempting to download the file.

BitTorrent was originally designed with a central server dubbed tracker in mind which would help users interested in the same file find each other to facilitate downloads. However, these tracker servers have become a kind of Achilles heel of the P2P protocol. Once a tracker server goes down, the whole network goes down. BitTorrent programmers came up with a way to discover users without such a server that’s based on the Kademlia DHT technology.

This technology is based on individual BitTorrent clients randomly introducing themselves to each other to establish a kind of distributed directory. However, it was recently showed that one can manipulate some of the data exchanged by BitTorrent clients for trackerless torrenting to introduce oneself to many more clients in the network than necessary and then tell those clients that a popular file is available under a certain IP address.

By manipulating the data being communicated through BitTorrent clients, one can create the appearance of availability for a given file and cause leechers to attempt a download. The leecher would not actually be downloading the intended file, but attacking a target IP without their knowledge. This would result in the flooding of the target host and, in many cases, eventual take-down of the target site.

Nefarious users could utilize publicly available data from torrent sites like The Pirate Bay to find DHT hashes for some of the most popular files and essentially trick some of these downloaders into attacking a certain target. For example, one could tell tens of thousands of users that a fresh version of Tron Legacy (not yet released!) is available at an address that really is the web server of a corporation. All of these users would immediately try to download the file under that address, bombarding the server with requests and possibly taking it down in the process.

Distributed denial of service (DDoS) attacks were most recently used to take down the sites of major credit card companies as part of the Anonymous revenge for actions taken against WikiLeaks. However, users tend to actively take part in a DDoS attack. In the case of this type of exploit, users may not even be aware that they’re bombarding a bank server with bogus requests while they’re trying to download a movie file.

This new technology, termed BotTorrent, would have revolutionary significance not merely in virtue of its creative underpinnings, but in terms of legal responsibility. Clearly, it is unlikely that end-users would prosecuted for carrying out an attack of which they had no knowledge. Furthermore, given the number of unknowing users carrying out the attacks, the magnitude of the attacks would expand massively.

Cyber War IV - Operation Payback explained

These kind of hacking campaigns are not a new phenomenon triggered by the Wikileaks situation. Just to mention a well-known example, back in 2003, the Recording Industry Association of America (RIAA) had their site collapsed due to a series of online attacks after they’d launched a joint anti-file piracy campaign together the Motion Picture Association of America (MPAA). Now we have this so called “Operation Payback”, a new initiative allegedly from the same group of hackers that performed the attacks in 2003.
Operation Payback
It’s believed that other hacker groups have joined in on the efforts to ally themselves with WikiLeaks and attack those who’ve attacked out against WikiLeaks. Nobody on the outside knows just how big this network spans and especially if they’ve been banded together with communities like 4chan, it could very well be one of the largest unified hacking campaigns to date.

This type of attack typically involves flooding a target website with data. The attackers hope to overwhelm it in one way or another so it cannot serve its legitimate users. As its name implies it aims to deny service to those visitors.

How are the attacks made?

Using Twitter and probably hidden IRC channels, the group has managed coordinate their attacks in a very effective way. The majority of the attacks so far have all been mass DDoS (Distributed Denial-of-Service) attacks which on a big scale and have been effective in collapsing the websites of these organizations. In case you're unaware of the type of attack this is, it's a method that calls on multiple computers (usually networked as slave units) to connect all at once and continuously to the victim of the attack, causing their servers to collapse due to the weight of traffic demands.

There are many types of DDoS attacks; some exploit the basic protocols of the internet that define how your web browser talks to the webpage you want to visit while other attacks send fragments of data packets to a target so it spends all its time putting them back together rather than sending data to visitors. Against sites with a low bandwidth link to the wider web simply sending lots of data traffic can choke the connection and cut it off.
In essence, what is happening is that lots and lots of individuals are hammering specific websites with TCP or UDP packets or HTTP requests. There are only so many resources to go around, which means that with enough individuals involved, even large websites can be taken down very quickly.
The first denial of service attacks typically came from a single source. Now the data bombardment is typically carried out by lots of computers, usually running Windows, all over the world, hence distributed. Most attacks are carried out through a botnet.

What is a botnet?

Botnets are groups of computers, unwittingly linked together via the internet, that can be remotely controlled to perform tasks. Typically they send out spam email, perform DDoS attacks, and gather personal information. Botnets are typically created through virus infection, or by installing malicious software (known as malware) on your machine. Malware can take many forms but are typically referred to as a 'trojan'. Named after the legendary Trojan horse, it is a piece of malicious code that hides inside another piece of software (in this instance illegally downloaded copies of software).

As the user installs the software, it is also installing the trojan program unware of the fact that might be creating a new zombie computer to be part of a botnet controled by who knows who....


Most of the participants in Operation Payback are not hackers — at least not in the true sense of the word. Instead, these users are using computer programs — or more recently, simply visiting websites — in order to stage their attack.

Anonymous is using a botnet but one that is slightly different to the usual. The botnet is made up of machines that have been actively enrolled in it by their owners downloading and installing Anonymous' attack tool - known as the Low Orbit Ion Cannon (LOIC).
This tool, which was purportedly originally created to stress test networks, is written in C# and can be downloaded off open source code repositories like Github and Sourceforge.
LOIC can be used to target a website the user inputs, or using an option called Hive Mind, to connect to IRC or even Twitter, and grab information for a targeted web attack. Because C# will only work on Windows computers out of the box (Mac and Linux users have to install additional libraries and do extra configuration), a Java port of LOIC also exists. The most recent variant of LOIC is a new proof of concept that is floating around called JS LOIC. The “JS” in the title stands for JavaScript. This proof of concept, which doesn’t appear to have as many features as LOIC or Java LOIC — and may also be easier to stop — is actually pretty clever.

Rather than requiring a user download program to run, someone can just visit a web page with a single HTML file and press a button to carry out their part of an attack. On the one hand, the trick of using JavaScript to carry out this kind of flooding attack is pretty clever. On the other hand, it’s also pretty scary.

From what we can gather, the majority of the attacks on Operation Payback targets are not coming from web clients. However, that could change. We would caution users against clicking on any links claiming to aid in this series of attacks. Not only is willfully participating in a DDoS illegal in many countries, you never know what is behind the file you download or what action clicking on that web button could trigger.
As with many other aspects of the WikiLeaks saga, the distributed and de-centralized nature of the Internet means that shutting down all mirrors for documents — or even for attack tools — is an exercise in futility.

This is easily the most public and mainstream hacking campaign to date and so far it must be said, has been largely successful. A spokesperson for the group behind Operation Payback posted that they’d attack all of those who were “bowing down to government pressure”.

So what does this say about the power of the internet? Nothing really that experts didn’t know about. But for the general public and for the media as a whole, I think it’s come to quite a shock to them knowing that hackers could be so influential and on the frontline of the news for a sustained period of time. Most people’s impressions of your average hacker is that of one who sits around and steals your credit card number and whilst this is still a major problem, it does put things into perspective when groups such as Anon manage to bring down Goliath companies like Mastercard and Swiss FinancePost to their knees.

Small defacement attacks by political reasons, or just for the fun of it, are very common and happen every day but this is a completely new phenomenon, we are now dealing with a potentially global cyber power and cyber war can trigger some heavy legislative responses from governments worldwide.

Cyber War III - Change in Tactics?

'Coldblood', a member of the group Anonymous, told a BBC reporter why he views its attacks on Visa and Mastercard as defence of Wikileaks. Web attacks carried out in support of Wikileaks are being wound down as activists consider changing tactics. Attacks against Amazon were called off late on 9 December and re-directed towards net payments firm Paypal and its computer systems which, according to a status page, has intermittently suffered "performance issues" ever since.

There have also been calls for attacks on official Dutch websites following the arrest of a 16-year-old boy suspected of involvement in the online campaign. But early today Moneybookers was chosen as the next target and its site was occasionally unreachable from about 1100 GMT.

The chances of success could be boosted by a new version of LOIC written in web programming language Javascript that allows anyone with a browser, including on a mobile phone, to launch attacks. However, defences against the attacks were being drawn up as security firms scrutinise the code behind LOIC to work out how attacks happen. Some suggest that well-written firewall rules would be able to filter out most of the harmful traffic.

The LOIC tool has been downloaded more than 46,000 times but, said Anonymous activists in a tweet, this did not translate into enough people using it to knock the retail giant off the web

One of those activists said he had a botnet of 30,000 machines under his control that he was planning to use on behalf of Wikileaks. A botnet is a network of hijacked home computers that have been compromised by their owners visiting a booby-trapped webpage that installs code to hand over control to a hi-tech criminal. A botnet with 30,000 machines in it is considered to be about average size. Most of the spam sent around the net is funnelled through machines that are in botnets.

There are also suggestions that the Anonymous group might be about to drop the web attacks in favour of another tactic. Its use of the term Anonymous comes from a series of websites frequented by members, such as the anarchic image board 4Chan. These allow users to post without having to register or provide a name. As a result, their comments are tagged "Anonymous".

A message posted on the 4chan image board, out of which Anonymous has grown, suggests dropping LOIC in favour of publicising information in the diplomatic cables that Wikileaks is releasing. Searching for the less-well publicised cables and spreading the information they contain around the web could be more effective than simply knocking out sites deemed to be enemies of Wikileaks, it said.

The message also suggests using misleading tags on posts and YouTube videos to trick people into reading or viewing the information.

"They don't fear the LOIC, they fear exposure," read the message.

Cyber War

I believe we are witnessing what could be the first real cyber war of the XXI century between the supporters of Wikileaks and all the institutions that somehow oppose to it or have withdrawn its support.


Despite several attacks targeting the site among which are massive Denial of Service attacks, the end of the domain registration, the loss of Amazon hosting services and also the end of services provided by Paypal, Visa and MasterCard, the reality is that the site has shown a surprising vitality and is becoming a real case study in terms of resistance to such attacks.

Before the revelation of the last batch of secret documents, the contents of the site were hosted in two Swedish and one French service providers. Subsequently, the same content was also housed in the cloud storage service from Amazon but this firm quickly changed his mind claiming breach of the terms of service.

Following Amazon's actions the problems with the ISP begun that culminated with the end of the domain registration by the DNS service provider, the company EveryDNS.

In retaliation, Wikileaks has created various national level domains subsequently redirecting the IP addresses in some cases or using the services of ISPs in several countries.

In order to prevent a repetition of what happened with EveryDNS, ie, having the site dependent on a single DNS service provider, Wikileaks is now using DNS services in eight different countries.

This geographical dispersion makes the site already extremely difficult to shut down, but for now, the site content is hosted mainly in European servers, as soon as the dispersion becomes worldwide, then any attempts to close the site will face increasing challenges.

Moreover, in recent days thousands of mirrors of the original site appeared which means that the content is already so widespread in several domains of the Internet that now escapes the jurisdiction of any legislative body and even with a concerted global effort will be impossible to prevent fragments of this information from reappearing.

The targets of the attacks by this phalanx of supporters have been the Amazon, MasterCard, PayPal and the Swiss firm PostFinance sites due to the freezing of Wikileaks’ accounts.

At the same time, a rising of a global army of activists and Wikileaks supporters is on the march growing every day both in numbers and strength by adding the power of botnets or using tools freely available and free.

Many of those participating in these attacks are using LOIC (Low Orbit Ion Cannon) which is an open source tool that can be used to legitimately perform stress testing of network security, firewalls, etc. This simple tool has been the weapon of choice of the DDoS (Distributed Denial of Service) Wikileaks supporters because users can synchronize their attacks through a centralized command server that coordinates and amplifies the attacks.

Synchronizations are being made using Twitter and IRC (Internet Relay Channel) networks where a group recently emerged began the so called "Operation Payback."

But if so far the bulk of the column has been manned by anonymous volunteers with LOIC, now we are in the stage where this army will be reinforced with the battalions of existing botnets of computers already infected and controlled by groups of hackers who are responding to the call to meet the new defensive measures implemented by the targeted sites.
This cyber war may change the face of the Internet as we know it ...