Predius writes "Fun with Anonymous — Infiltrate the hive
Anonymous has been in the news again lately for loosely coordinated DDoS attacks on high visibility targets in the name of defending Wikileaks. Their weapon of choice is a modified LOIC (http://en.wikipedia.org/wiki/LOIC) install, a 'network stress tool' written to include IRC driven command and control. Volunteer LOIC installs become part of the 'Hive Mind' which Anonymous directs to attack chosen targets.
The command and control of LOIC is actually VERY simplistic. Figuring it out takes very little effort thanks to the modified LOIC install including nearly the full source of all code used to make the prepackaged binaries.
By default LOIC expects the user to direct it. Upon providing an IRC server, port and channel it switches to Hive Mind mode and connects to IRC automatically and joins the specified channel to await instructions. Instructions must be posted by a channel owner or operator, or in the topic of the channel. As security, all LOICs use predefined username patterns as well as specific user and real name info.
Nick: LOIC_XXXXXX (Replace the X's with upper or lower case letters, must be 6 total to match the channel invite mask.) Username: IRCLOIC Realname: Newfag's remote LOIC Server: thealps.anonops-irc.com or irc.anonops-irc.com port 6667 Channel: #loic CTCP Version Reply: SmartIrc4net 0.4.0.28389
From the LOIC README: ------------------------------------------- ============================== || CONTROLING LOIC FROM IRC || ==============================
As an OP, Admin or Owner set a channel topic or type message with (as an example ): !lazor targetip=127.0.0.1 message=test_test port=80 method=tcp wait=false random =true
To start attack type !lazor start
Or just append "start" in the END of the topic !lazor targetip=127.0.0.1 message=test_test port=80 method=tcp wait=false random =true start
To reset options back to default: !lazor default
To stop attack: !lazor stop
And remove "start" from topic (if exists) You can also replace "start" by "stop" in the END of the topic. -------------------------------------------
There are bots in the channel that periodically do version checks on all bots in the channel, so make sure you get the version string right. Also there are real users who monitor for odd activity, so I suggest just idling with your LOIC simulation and setting up a second connection to poke around with using normal looking credentials. So far they have been fairly quick to g-line suspected fake LOICs that botch any of the credentials and post repeated warnings to attack any found 'with anger'.
#OperationPayback is where the live chaos is, mostly a shouting match of various self proclaimed 'hacktivists' with a few trying to direct the horde with various degrees of sucess. This channel is also handy to monitor as changes to the attack plan will be announced along with start times.
As various external sources disable Anonymous assets, either irc servers directly via DoS attacks or by disabling the domains used new replacements are announced here as well. The Hive appears to be very slow in recovering from these hits given that the simplistic control structure doesn't include a means to auto-update the hive settings, relying on constant user monitoring and intervention instead. There is active discussion in #newloic on an upgraded or replacement tool in progress."