From: US-CERT Technical Alerts
Subject: US-CERT Technical Cyber Security Alert TA12-024A -- "Anonymous" DDoS Activity
Date: January 24, 2012 7:03:18 PM PST
To: technical-alerts@us-cert.gov
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System Technical Cyber Security Alert TA12-024A
"Anonymous" DDoS Activity Original release date: January 24, 2012
Last revised: --
Source: US-CERT
Overview US-CERT has received information from multiple sources about
coordinated distributed denial-of-service (DDoS) attacks with
targets that included U.S. government agency and entertainment
industry websites. The loosely affiliated collective "Anonymous"
allegedly promoted the attacks in response to the shutdown of the
file hosting site MegaUpload and in protest of proposed U.S.
legislation concerning online trafficking in copyrighted
intellectual property and counterfeit goods (Stop Online Piracy
Act, or SOPA, and Preventing Real Online Threats to Economic
Creativity and Theft of Intellectual Property Act, or PIPA).
I. Description US-CERT has evidence of two types of DDoS attacks: One using HTTP
GET requests and another using a simple UDP flood. The Low Orbit Ion Cannon (LOIC) is a denial-of-service attack tool
associated with previous Anonymous activity. US-CERT has reviewed
at least two implementations of LOIC. One variant is written in
JavaScript and is designed to be used from a web browser. An
attacker can access this variant of LOIC on a website and select
targets, specify an optional message, throttle attack traffic, and
monitor attack progress. A binary variant of LOIC includes the
ability to join a botnet to allow nodes to be controlled via IRC or
RSS command channels (the "HiveMind" feature). The following is a sample of LOIC traffic recorded in a web server
log: "GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200
99406 "hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" The following sites have been identified in HTTP referrer headers
of suspected LOIC traffic. This list may not be complete. Please do
not visit any of the links as they may still host functioning LOIC
or other malicious code. "hxxp://3g.bamatea.com/loic.html"
"hxxp://anonymouse.org/cgi-bin/anon-www.cgi/"
"hxxp://chatimpacto.org/Loic/"
"hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/"
"hxxp://event.seeho.co.kr/loic.html"
"hxxp://pastehtml.com/view/bl3weewxq.html"
"hxxp://pastehtml.com/view/bl7qhhp5c.html"
"hxxp://pastehtml.com/view/blafp1ly1.html"
"hxxp://pastehtml.com/view/blakyjwbi.html"
"hxxp://pastehtml.com/view/blal5t64j.html"
"hxxp://pastehtml.com/view/blaoyp0qs.html"
"hxxp://www.lcnongjipeijian.com/loic.html"
"hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/
vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/
fnorefer"
"hxxp://www.tandycollection.co.kr/loic.html"
"hxxp://www.zgon.cn/loic.html"
"hxxp://zgon.cn/loic.html"
"hxxp://www.turbytoy.com.ar/admin/archivos/hive.html" ... http://www.us-cert.gov/cas/techalerts/TA12-024A.html
Subject: US-CERT Technical Cyber Security Alert TA12-024A -- "Anonymous" DDoS Activity
Date: January 24, 2012 7:03:18 PM PST
To: technical-alerts@us-cert.gov
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System Technical Cyber Security Alert TA12-024A
"Anonymous" DDoS Activity Original release date: January 24, 2012
Last revised: --
Source: US-CERT
Overview US-CERT has received information from multiple sources about
coordinated distributed denial-of-service (DDoS) attacks with
targets that included U.S. government agency and entertainment
industry websites. The loosely affiliated collective "Anonymous"
allegedly promoted the attacks in response to the shutdown of the
file hosting site MegaUpload and in protest of proposed U.S.
legislation concerning online trafficking in copyrighted
intellectual property and counterfeit goods (Stop Online Piracy
Act, or SOPA, and Preventing Real Online Threats to Economic
Creativity and Theft of Intellectual Property Act, or PIPA).
I. Description US-CERT has evidence of two types of DDoS attacks: One using HTTP
GET requests and another using a simple UDP flood. The Low Orbit Ion Cannon (LOIC) is a denial-of-service attack tool
associated with previous Anonymous activity. US-CERT has reviewed
at least two implementations of LOIC. One variant is written in
JavaScript and is designed to be used from a web browser. An
attacker can access this variant of LOIC on a website and select
targets, specify an optional message, throttle attack traffic, and
monitor attack progress. A binary variant of LOIC includes the
ability to join a botnet to allow nodes to be controlled via IRC or
RSS command channels (the "HiveMind" feature). The following is a sample of LOIC traffic recorded in a web server
log: "GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200
99406 "hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" The following sites have been identified in HTTP referrer headers
of suspected LOIC traffic. This list may not be complete. Please do
not visit any of the links as they may still host functioning LOIC
or other malicious code. "hxxp://3g.bamatea.com/loic.html"
"hxxp://anonymouse.org/cgi-bin/anon-www.cgi/"
"hxxp://chatimpacto.org/Loic/"
"hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/"
"hxxp://event.seeho.co.kr/loic.html"
"hxxp://pastehtml.com/view/bl3weewxq.html"
"hxxp://pastehtml.com/view/bl7qhhp5c.html"
"hxxp://pastehtml.com/view/blafp1ly1.html"
"hxxp://pastehtml.com/view/blakyjwbi.html"
"hxxp://pastehtml.com/view/blal5t64j.html"
"hxxp://pastehtml.com/view/blaoyp0qs.html"
"hxxp://www.lcnongjipeijian.com/loic.html"
"hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/
vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/
fnorefer"
"hxxp://www.tandycollection.co.kr/loic.html"
"hxxp://www.zgon.cn/loic.html"
"hxxp://zgon.cn/loic.html"
"hxxp://www.turbytoy.com.ar/admin/archivos/hive.html" ... http://www.us-cert.gov/cas/techalerts/TA12-024A.html
No comments:
Post a Comment