Police arrest boy of 16 over WikiLeaks attacks

Twitter and Facebook have also deleted accounts believed to be affiliated with Anonymous

Dutch authorities have arrested a 16-year-old boy in relation to the cyberattacks against Visa, MasterCard and PayPal, which were aimed at punishing those companies for cutting off services to WikiLeaks.
The boy was arrested in The Hague, and he will be arraigned before a judge on Friday in Rotterdam, according to a press release from the Netherlands' Public Prosecution Service. The boy, whose computer equipment was seized, has allegedly confessed to taking part in the attacks.
The Public Prosecution Service said he is likely part of a larger group of hackers.
The arrest follows a series of distributed denial-of-service (DDOS) attacks aimed at websites that have been critical of WikiLeaks, which has been releasing portions of 250,000 secret US diplomatic cables since late last month. The attacks seek to overwhelm websites and services by sending streams of meaningless traffic.
Part of the attacks originated in the Netherlands and the main site coordinating the attacks, anonops.net, was hosted in a Dutch data center in Haarlem. The site is down since police actions Wednesday.
Right after the police found out that there were cyberattacks coming from the Netherlands, the Team High Tech Crime started an investigation, the Dutch attorney general reported.
The attorney general also noted that "probably thousands of computers" took part in the attacks. The police are still investigating and will probably arrest more people.
Since the release of the documents began, several companies have decided to cut WikiLeaks off from their services, including PayPal, MasterCard, Visa and the Swiss payment transaction firm PostFinance, where WikiLeaks founder Julian Assange held an account.
In response, a loose affiliation of hackers called Anonymous have orchestrated DDoS attacks against those websites over the past two days or so, knocking many of the sites offline. The group has dubbed that effort "Operation: Payback." Other websites that have been attacked include those of vocal critics of WikiLeaks, including US Senator Joseph Lieberman and former Alaska Governor and vice presidential candidate Sarah Palin.
Twitter and Facebook have also deleted accounts believed to be affiliated with Anonymous.
On Thursday, BBC Radio 4  broadcast an interview with a 22-year-old who goes by the nickname "Cold Blood" and claims he is part of Anonymous. Cold Blood, who appeared in the BBC's studios, said that more people were downloading a botnet tool that enables them to perform a DDoS attack.
The campaign is aimed at companies that have decided not to deal with WikiLeaks, Cold Blood said, and is also a protest against what Anonymous believes is increasing control over the Internet by governments and the European Union.
"We are trying to keep the Internet open and free for everyone," said Cold Blood, who described himself as a software engineer.
WikiLeaks and its founder and editor Assange have come under fierce criticism from U.S. government officials and politicians for releasing the information, which is believed to have been leaked to the site by US Army Private Bradley E. Manning.
Manning has been charged with mishandling and transferring classified information in connection with the cables and a video of an Apache helicopter shooting civilians in Iraq.

http://www.computerworlduk.com/news/security/3252776/police-arrest-boy-of-16-over-wikileaks-attacks/

New "Darkness" Botnet as Ominous as It Sounds

Security researchers are in a tizzy over a new botnet they’re calling “Darkness,” or if you want the full name, “Destination Darkness Outlaw System” (D.D.O.S.), ComputerWorld reports.
Here’s the sales pitch — for just $50, Darkness operators promise their clients they’ll be able to flummox large sites with an army of just 1,000 bots, and security experts don’t doubt that claim.
“Upon testing, it was observed that the throughput of the attack traffic directed simultaneously at multiple sites was quite impressive,” said the Shadowserver Foundation. “As with BlackEnergy, ‘Darkness’ is easy to purchase, easy to deploy, and is very effective and efficient in what it does.”
Darkness botnet operators advertise a laundry list of devious features, including the ability to choose and pick several URLs for each site, the ability to overwhelm an average site with just 30 bots, it can run as a Windows service, the inclusion of both an English and Russian GUI, and much more.
“It now appears that ‘Darkness’ is overtaking BlackEnergy as the DDoS bot of choice,” Shadowserver Foundation notes. “There also appear to be no shortage of buyers looking to add ‘Darkness’ to their botnet arsenal.”

http://www.cpureview.com/new-darkness-botnet-as-ominous-as-it-sounds.html?goback=.gde_1899252_member_37062320

Operation Leakspin....

If this image is to be believed—and I have no reason not to, other than that I found it on the internet—the rebel squadrons behind Anonymous (attn. "news" hacks - that would be an entirely different group from Wikileaks and/or Wikipedia) are about to change their approach. So far, as we've witnessed, they have been launching point-and-click distributed denial of service (DDoS) attacks at companies perceived as the enemies of Wikileaks. Those targets included Mastercard, Paypal, and Visa (companies that froze donation funding), and Amazon (which denied hosting services). The new approach suggests more sophisticated thinking. This new mission, apparently, is to actually read the cables Wikileaks has published and find the most interesting bits that haven't been publicized yet, then publicize them.
In my opinion, this action would have far more positive impact. Anonymous often repeats the Orwell quote, "In a time of universal deceit, telling the truth becomes a revolutionary act." Looks like they decided to take those words to heart.

http://www.boingboing.net/2010/12/09/anonymous-stops-drop.html

Wikileaks a stirring pot...!

DDoS Wars ...and now Mastercard!

Online hacktivist collective Anonymous, operating under the banners Operation:Payback and "Operation Avenge Assange" have launched a series of DDoS attacks against organisations and people seen as being opposed to Wikileaks and its spokesman Julian Assange.
Meanwhile, Operation:Payback itself has been subjected to counter-DDoS attacks thought to originate with US "patriotic" contra-hacktivistas.
Sites attacked by the Anonymous group have included PostFinance.ch, belonging to the Swiss bank which recently froze an account controlled by Assange, and also ThePayPalblog.com - the main blog operated by PayPal, targeted for refusing to process Wikileaks contributions. DNS outfit EveryDNS has also come into the Operation:Payback gunsights for cutting off Wikileaks' DNS service, saying that online attacks targeted at the leak site were crippling its other customers.

Over the last couple of days, other sites have been DDoS'd for various reasons by the Anonymous group, including the Swedish lawyers representing the women Assange is alleged to have committed sexual offences against. Charges made by Swedish prosecutors have since resulted in the issue of a European arrest warrant and Assange was yesterday cuffed in London: British judges have elected to refuse bail and the colourful Wikileaks impresario is now in jail pending an extradition hearing.
This process has angered the members of Operation:Payback sufficiently that they have also elected to mount strikes against the website of the Swedish prosecutors' office and briefly, according to anonymous* claims received by the Reg, against Interpol. (Interpol did issue a "Red Notice" calling for Assange's arrest at the behest of Swedish authorities, but in fact this has no relevance for British police dealing with a request from another EU nation: in such cases a European warrant is required for the UK cops to act.)
Yesterday, the Anonymous hacktivists decided to attack the site of US Senator Joe Lieberman as well, presumably as a result of remarks he has made describing Wikileaks operations as crimes violating the US Espionage Act - and hinting that Wikileaks' mainstream-media partners, collaborating on trawling and redacting files prior to public release, have violated the law also.
Some Operation:Payback members also elected to attack the site of former Alaska governor and vice-presidential candidate Sarah Palin for suggesting that Assange should be hunted down like a terrorist.
The Anonymous attacks have been run on through a chatroom, with users attaching their computers to a voluntary botnet for use in the DDoS strikes. Panda Security reported that as the Lieberman attacks began there were almost 1,000 users in the chatroom and nearly 600 machines in the botnet.
Naturally enough Operation:Payback itself has been subject to counter-DDoS efforts of varying strength almost since it began, but following the decision to attack Lieberman's official US government site the Anonymous operation began to be hit much harder and suffered dozens of outages itself, one lasting almost two hours. Panda Security analysts assessed that the intensified counter-DDoS attacks were coming from self-described American "patriot" hackers - playing contra to the Anonymous hacktivistas, perhaps.
Meanwhile US Army private soldier Bradley Manning, believed to have supplied not only the vast stash of diplomatic cables now being drip-fed by Wikileaks but most of its previous significant material as well (the Baghdad gunship videos, Iraq and Afghanistan "war logs" etc) remains in military prison charged with an array of security violations. His name is seldom mentioned any more in the ongoing saga of Wikileaks, Assange and the online scufflers aligned with and against them.
Operation:Payback uses a banner quote from John Perry Barlow, a founder of the Electronic Frontier Foundation:

http://www.theregister.co.uk/2010/12/08/wikileaks_assange_ddos_dustup/

“Mega-D” botnet taken down

Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide.
According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.
Federal agents settled on Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” e-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenues of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.
As part of his guilty plea to spam violations, Atkinson provided investigators information on the top spammers who helped to promote the Affking products. Among them was an affiliate who used the online nickname “Docent,” who earned nearly $467,000 in commissions over a six month period in 2007.
Atkinson told investigators that Docent’s commissions were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the e-mail address “4docent@gmail.com.” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow.
According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the Mega-D malware.
Update: [Nikolaenko was reportedly arrested in the United States recently. See update at the end, after the jump.]

But U.S. investigators missed at least two chances to apprehend Nikolaenko: The grand jury said a review of U.S. State Department records indicate that Nikolaenko entered the United States in Los Angeles on July 17, 2009, and left the country ten days later. He returned to the U.S. on Oct. 29, 2009, entering from New York and visiting Las Vegas before exiting the country on Nov. 9 from Los Angeles.
Investigators say Nikolaenko was supposed to leave Los Angeles on Nov. 11, but cut his trip short by two days. They concluded that the 23-year-old left early because he wanted to get home to repair damage that security experts had inflicted on his botnet. On Nov. 4, 2009, researchers from Milpitas, Calif. based FireEye executed a “stun” attack on Mega-D by seizing control over the botnet’s control networks.
“Based on the timing of the Fireeye attack on the Mega-D botnet, I believe that Nikolaenko left the U.S. early to repair damage caused by Fireeye,” wrote Special Agent Brett E. Banner, in the government’s complaint against Nikolaenko.
After the FireEye takedown, spam from Mega-D all but disappeared. But in the days following his return to Moscow, the botnet recovered gradually, and by Nov. 22, spam from Mega-D was back to pre-takedown activity levels. By Dec. 13, Mega-D was responsible for sending nearly 17 percent of spam worldwide, according to security vendor M86 Security.
Joe Stewart, a senior security researcher at SecureWorks, said that at the beginning of Nov. 2009, there were at least 120,000 computers infected with Mega-D that were relaying spam, but Stewart said he hasn’t seen any signs of activity from Mega-D over the past several months.
While Mega-D may be dead, information obtained by KrebsOnSecurity.com suggests that Nikolaenko has nonetheless continued spamming, and that, until at least June 2010, he was a top-earning affiliate for Spamit.com. Prior to its closure at the end of Sept. 2010 — Spamit was the world’s most active affiliate program for promoting knockoff prescription drugs.
A Spamit affiliate using the same “4docent@gmail.com” address made nearly $81,000 in the first five months of 2010 promoting online pharmacies for Spamit. The earnings were deposited into the same “Genbucks_dcent” ePassporte account named in the criminal complaint against Nikolaenko. It’s not clear whether Nikolaenko was able to enjoy all of those earnings: ePassporte also went belly-up in September, leaving thousands of customers without access to millions of dollars in funds.
Update, Dec. 2, 5:40 p.m. ET: The Milwaukee-Wisconsin Journal Sentinel reports that Nikolaenko was arrested after entering the United States to attend a car show in Las Vegas. He is is scheduled to make his initial court appearance in Milwaukee on Friday.
http://krebsonsecurity.com/2010/12/fbi-identifies-russian-mega-d-spam-kingpin/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=KrebsOnSecurity

Wikileaks Domainless

The DNS of Wikileaks.org and Cablegate.org have been erased in a move that may torpedo efforts to access the websites.
Amazon has terminated its cloud services relationship with the whistleblower site after pressure from a US government committee, according to a US senator

The websites can still be accessed via their IP addresses - http://88.80.13.160/ and http://204.236.131.131/, respectively, according to a Wikileaks list of IP address mirrors. Alternatives are also on the mirror site.
However, the DNS registration that allows a user to enter an alphabetical web address, such as www.wikileaks.org, no longer exists. Users attempting to type in the address will be served a blank page.
Wikileaks' DNS provider EveryDNS.net pulled the DNS registration at 10pm EST (3am GMT) after the site suffered a massive distributed denial-of-service (DDoS) attack. EveryDNS.net said in a post on its site that it had done so because the DoS contravened acceptable use policy.

http://www.ukfast.co.uk/internet-news/wikileaks-loses-domain-name-after-dos-attacks.html