Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Botnet

+ - Operation Payback's Command and Control System

Submitted by
Predius
Predius writes "Fun with Anonymous — Infiltrate the hive

Anonymous has been in the news again lately for loosely coordinated DDoS attacks on high visibility targets in the name of defending Wikileaks. Their weapon of choice is a modified LOIC (http://en.wikipedia.org/wiki/LOIC) install, a 'network stress tool' written to include IRC driven command and control. Volunteer LOIC installs become part of the 'Hive Mind' which Anonymous directs to attack chosen targets.

The command and control of LOIC is actually VERY simplistic. Figuring it out takes very little effort thanks to the modified LOIC install including nearly the full source of all code used to make the prepackaged binaries.

By default LOIC expects the user to direct it. Upon providing an IRC server, port and channel it switches to Hive Mind mode and connects to IRC automatically and joins the specified channel to await instructions. Instructions must be posted by a channel owner or operator, or in the topic of the channel. As security, all LOICs use predefined username patterns as well as specific user and real name info.

Nick: LOIC_XXXXXX (Replace the X's with upper or lower case letters, must be 6 total to match the channel invite mask.)
Username: IRCLOIC
Realname: Newfag's remote LOIC
Server: thealps.anonops-irc.com or irc.anonops-irc.com port 6667
Channel: #loic
CTCP Version Reply: SmartIrc4net 0.4.0.28389

From the LOIC README:
-------------------------------------------
==============================
|| CONTROLING LOIC FROM IRC ||
==============================

As an OP, Admin or Owner set a channel topic or type message with (as an example
):
!lazor targetip=127.0.0.1 message=test_test port=80 method=tcp wait=false random
=true

To start attack type
!lazor start

Or just append "start" in the END of the topic
!lazor targetip=127.0.0.1 message=test_test port=80 method=tcp wait=false random
=true start

To reset options back to default:
!lazor default

To stop attack:
!lazor stop

And remove "start" from topic (if exists)
You can also replace "start" by "stop" in the END of the topic.
-------------------------------------------

There are bots in the channel that periodically do version checks on all bots in the channel, so make sure you get the version string right. Also there are real users who monitor for odd activity, so I suggest just idling with your LOIC simulation and setting up a second connection to poke around with using normal looking credentials. So far they have been fairly quick to g-line suspected fake LOICs that botch any of the credentials and post repeated warnings to attack any found 'with anger'.

#OperationPayback is where the live chaos is, mostly a shouting match of various self proclaimed 'hacktivists' with a few trying to direct the horde with various degrees of sucess. This channel is also handy to monitor as changes to the attack plan will be announced along with start times.

As various external sources disable Anonymous assets, either irc servers directly via DoS attacks or by disabling the domains used new replacements are announced here as well. The Hive appears to be very slow in recovering from these hits given that the simplistic control structure doesn't include a means to auto-update the hive settings, relying on constant user monitoring and intervention instead. There is active discussion in #newloic on an upgraded or replacement tool in progress."
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Operation Payback's Command and Control System

Comments Filter:

"Bureaucracy is the enemy of innovation." -- Mark Shepherd, former President and CEO of Texas Instruments

Working...