Computerworld reported Thursday that tens of thousands of people had downloaded the LOIC (Low Orbit Ion Cannon) DDoS open-source "attack tool" to join hackers' botnets as they engage in cyberassaults against Amazon, MasterCard, PayPal, and the Swiss payment transaction firm PostFinance, inter alia, in retaliation for actions against Wikileaks.[1]  --  "LOIC has become the DDoS tool of choice in the pro-WikiLeaks attacks because users can synchronize their copies with a master command-and-control server, which then coordinates and amplifies the attacks," Gregg Keizer said.  --  Such attacks are illegal, and early Thursday morning Dutch police arrested a 16-year-old in The Hague for "attacks on MasterCard and Visa," the London Telegraph reported.[2]  --  Reuters reported Thursday evening that "The loosely organized campaign to avenge WikiLeaks against those who have obstructed its operations, calling itself Operation Payback, has already temporarily brought down the websites of Visa and MasterCard, and of the Swedish government."[3] ...


1.

News

PRO-WIKILEAKS CYBER ARMY GAINS STRENGTH; THOUSANDS JOIN DDoS ATTACKS

By Gregg Keizer

** Volunteers download attack tool, organizers recruit hacker botnets, say researchers **

Computer World
December 9, 2010

http://www.computerworld.com/s/article/9200659/Pro_WikiLeaks_cyber_army_gains_strength_thousands_join_DDoS_attacks?taxonomyId=82


The retaliatory attacks by pro-WikiLeaks activists are growing in strength as hackers add botnets and thousands of people download an open-source attack tool, security researchers said today.

In recent days, distributed denial-of-service (DDoS) attacks have been launched against several sites, including those belonging to Amazon, MasterCard, PayPal, and the Swiss payment transaction firm PostFinance, after each terminated WikiLeaks accounts or pulled the plug on services.

As of Thursday, WikiLeaks had posted the full text of more than 1,200 leaked U.S. State Department cables from its trove of over 250,000 messages.

Most of those participating in the attacks are using the LOIC (Low Orbit Ion Cannon) DDoS tool, said researchers with Imperva and Sophos.

The open-source tool, which is sometimes classified as a legitimate network- and firewall-stress testing utility, is being downloaded at the rate of about 1,000 copies per hour, said Tal Be'ery, the Web research team lead at Imperva's Application Defense Center.

"Downloads have soared in the last two days," said Be'ery in an interview.  As of 4 p.m. ET, more than 44,000 copies of LOIC had been downloaded from GitHub.

LOIC has become the DDoS tool of choice in the pro-WikiLeaks attacks because users can synchronize their copies with a master command-and-control server, which then coordinates and amplifies the attacks.

"If I download [LOIC] and voluntarily set the server information, the command-and-control server can control my copy of LOIC," said Be'ery.  "The command-and-control server can then sync the attack, which makes it much more powerful because the DDoS attacks are occurring at the same time and hitting the same target."

Some will still want manually control LOIC, Be'ery said, calling those people "old school guys."  But even then, the attacks are being coordinated.

"They're just syncing their attacks to the announcements made on Twitter and IRC (Internet Relay Channel)," Be'ery said, referring to the messages posted by several hacker groups, including Anonymous, which has been in the forefront of what's called "Operation Payback."

In a new step in the campaigns, botnets -- armies of already-compromised computers that hackers control remotely -- are now being recruited for the DDoS attacks, said Beth Jones, a senior threat researcher with Sophos.  "Until now, the attacks have been done by volunteers who download LOIC," said Jones.  "But now more groups are joining in with their botnets."

Be'ery said that Imperva had seen IRC chatter of at least one 100,000-PC botnet being thrown into the attacks.

"Operators of these attacks have repeatedly asked on IRC if someone can donate botnets," said Be'ery.  "It looks like they feel the need for some more horsepower."

The fact that the organizers of Operation Payback are soliciting more firepower is a clue that they're not able to match the defenses erected by the sites they've targeted, said Be'ery.  "They're having a bit of a problem.  PayPal and others are doing good work to keep their sites alive, so they're after more machines and telling people [participating in the DDoS attacks] to do what they're told and focus on the targeted sites."

There seems to be something to Be'ery's point.

An attack launched earlier Thursday against Amazon.com by Anonymous appears to have fallen flat; the group then dropped Amazon and instead directed its PCs and followers to again hammer a PayPal URL.

But for all the problems that Operation Payback's having, Be'ery doesn't believe the DDoS attacks have peaked.  "There doesn't seem to be any decay in the download rate of LOIC," he noted.  "I really don't think things will change unless one of the attacked companies tries to take down the main command-and-control server."

There is only one such server currently coordinating the attacks, he added, but the organizers claim that they have a backup on stand-by.  "But if the main server falls, it will certainly give them some trouble regrouping," said Be'ery.

Jones of Sophos saw a different end game.

"What's really surprising is that so many people are willing to put themselves on the line legally," she said, pointing out that using a tool like LOIC to attack a site is illegal in most jurisdictions, including the United States.

"A more firm legal response may be helpful," Be'ery agreed.  "I'm not even sure that everyone understands that what they're doing is illegal."

On Wednesday, Dutch police arrested a 16-year-old in The Hague for allegedly participating in the attacks against Visa, MasterCard, and PayPal.  The teen is to be arraigned in Rotterdam on Friday.

"The penny will drop when some of these guys are arrested," predicted Be'ery.

--Gregg Keizer covers Microsoft, security issues, Apple, Web browsers, and general technology breaking news for Computerworld.  Follow Gregg on Twitter at Twitter @gkeizer or subscribe to Gregg's RSS feed Keizer RSS.  His e-mail address is This email address is being protected from spambots. You need JavaScript enabled to view it..


2.

Netherlands

WIKILEAKS: TEENAGER ARRESTED FOR 'REVENGE ATTACKS'

By Jon Swaine

** A 16-year-old Dutch boy is facing up to six years in prison after admitting involvement in the cyber attacks against credit card companies that withdrew support for WikiLeaks. **

Telegraph (London)
December 9, 2010

http://www.telegraph.co.uk/news/worldnews/europe/netherlands/8192780/WikiLeaks-teenager-arrested-for-revenge-attacks.html


The boy was arrested in the early hours of Thursday morning after officers from the hi-tech crime unit of the Dutch national police force entered his home in The Hague while he slept.

He confessed to "attacks on MasterCard and Visa" and is "probably part of a larger group of hackers," according to a statement released by the Dutch national prosecutor's office.

Wim de Bruin, a spokesman for the prosecution service, said Dutch police were working with the FBI on an investigation into the hacking attack and expected to make several more arrests.

He said that the information about the 16-year-old boy's involvement had not come from the U.S. but declined to give any further details.

"We received information that one or more of the WikiLeaks-related attacks were coordinated from the Netherlands," Mr. de Bruin said.  "That is the reason the police have been investigating."

The websites of the card companies, and that of the online payment service PayPal, came under attack on Wednesday from Anonymous, a hacking group furious at their "censorship" of WikiLeaks.

All three companies stopped processing payments to the anti-secrecy group, which relies on donations, amid controversy over whether it has broken the law by releasing secret U.S. diplomatic cables.

Amazon, the internet retailer, has also been targeted after withdrawing server space, as were lawyers for women in Sweden who allege they were sexually assaulted by Julian Assange, editor of WikiLeaks.  Mr. Assange denies this claim.

The 16-year-old boy is due to appear in court in Rotterdam on Friday morning charged with making distributed denial of service attacks against the credit card companies' websites.

A judge will decide whether he should be remanded in custody for 14 days.  If convicted he could be sentenced to between four and six years in prison, Mr de Bruin said.

3.

WIKILEAKS BACKERS THREATEN MORE CYBERATTACKS

By Georgina Prodhan and Jeremy Pelofsky

Reuters
December 9, 2010

http://www.reuters.com/article/idUSL3E6N80HH20101210


Cyber attacks on global companies seen as enemies of WikiLeaks drew the attention of U.S. authorities on Thursday and Dutch police arrested a 16-year-old boy suspected in attacks on credit card sites of Visa and MasterCard.

Internet activists vowed to crash sites that have blocked business with WikiLeaks and PayPal, and others saw sporadic outrages.

Attorney General Eric Holder said U.S. authorities were looking into cyber attacks on companies like Amazon.com and others.  "We are aware of the incidents," he said.

The teenage boy was arrested by a high-tech crime unit in The Hague after admitting to attacks on the websites of two credit card companies, MasterCard and Visa, the prosecution in the Netherlands said on its website.

The suspect, whose details were not disclosed, was believed to be part of a larger group of hackers under investigation that participated in so-called denial of service attacks, the prosecution said.  Data and computer equipment were confiscated during his arrest.

The loosely organized campaign to avenge WikiLeaks against those who have obstructed its operations, calling itself Operation Payback, has already temporarily brought down the websites of Visa and MasterCard, and of the Swedish government.

A succession of U.S. institutions has withdrawn services from WikiLeaks after the website published thousands of sometimes embarrassing secret U.S. diplomatic reports that have caused strains between Washington and several allies.

In Moscow, Russian Prime Minister Vladimir Putin said the arrest of WikiLeaks founder Julian Assange showed the West was hypocritical in its criticism of Russia's record on democracy.

When asked about leaked U.S. diplomatic cables that cast him as Russia's "alpha-dog" ruler of a corrupt bureaucracy, Putin questioned whether the U.S. Foreign Service was a "crystal clean source of information."

WikiLeaks activists instructed their followers on Thursday to mount a distributed denial of service attack on a PayPal website that manages the integration of the company's payment processing technology with independent online merchant websites.  PayPal is a subsidiary of eBay.

A PayPal spokesman said the company had detected an attack on the site, http:/api.paypal.com, but that it appeared to be operational, although various attempts to access the website by Reuters on Thursday were unsuccessful.

Online retail and web-hosting powerhouse Amazon last week stopped hosting WikiLeaks' website, and on Thursday it briefly became the main target of the pro-WikiLeaks campaigners -- before they admitted it was too big for them, for the moment.

"We cannot attack Amazon, currently.  The previous schedule was to do so, but we don't have enough forces," read one message on Twitter.

The activists said they would instead attack PayPal, which has suspended the WikiLeaks account the organization had used to collect donations.  MasterCard and Visa had also become targets after stopping processing donations.

By early evening EST (1810 GMT), the main websites of PayPal, Amazon -- a key Christmas shopping destination -- MasterCard and Visa all appeared to be functioning normally.

OPERATION PAYBACK


Facebook said it had removed the activists' Operation Payback page on Thursday because it was promoting a distributed denial of service attack -- a form of freezing websites by bombarding them with requests that is illegal in many countries.

The campaign also disappeared briefly from Twitter before reappearing in a different guise.  Twitter declined to comment.

In an online letter, Anonymous, a loose-knit group, said its activists were neither vigilantes nor terrorists.  It added:  "The goal is simple:  Win the right to keep the Internet free of any control from any entity, corporation, or government."

Some of the motivation for the cyber campaign appears to stem from anger at the arrest in Britain of Assange over alleged sex crimes committed in Sweden.  He is in jail in London, awaiting an extradition hearing.

Assange said last week he had expected clampdowns in countries such as the United States that championed free speech, and had deliberately picked providers like Amazon to host its data to test that theory.

U.N. High Commissioner for Human Rights Navi Pillay voiced concern on Thursday at reports of pressure being exerted on private companies to halt financial or Internet services for WikiLeaks.

"The campaign is not over from what I've seen, it's still going strong.  More people are joining," a spokesman for the Anonymous group calling himself "Coldblood" told BBC Radio 4.  The speaker, who had an English accent, said he was aged 22 and was a software engineer.

"Anonymous has targeted mainly companies which have decided for whatever reason not to deal with WikiLeaks.  Some of the main targets involve Amazon, MasterCard, Visa, and PayPal."

LIMITED INTERRUPTION


In a statement on Thursday, MasterCard said although there was a limited interruption of some online services, cardholders could continue using cards for transactions worldwide.  Its main processing systems were not compromised, the statement said.

The campaigners also claimed responsibility for bringing down Visa Inc's site, which was temporarily unavailable in the United States, but later restored.  Swedish newspaper *Aftonbladet* said the Swedish government's website was down for a short time overnight in the latest apparent attack.

Assange, a 39-year-old Australian, has been hailed as an advocate of free speech by supporters, but now finds himself fighting serious sexual allegations made by two women in Sweden.

Assange will have another court appearance next Tuesday and his supporters assert he is being victimized for his work.

(Additional reporting by Greg Roumeliotis at The Hague, Patrick Lannin in Stockholm, Ben Deighton in Brussels, Marius Bosch in Johannesburg and Alexei Oreskovic in San Francisco; Writing by Keith Weir, William Maclean, Georgina Prodhan and Steve Holland; Editing by Jackie Frank and Peter Cooney)