Spamhaus Under DDoS Over Wikileaks.info

achowe writes "Steve Linford of Spamhaus sent this to a private anti-spam list and asked that the message get out far and wide: 'For speaking out about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. As our site cannot be reached now [actually sporadic], we can not continue to warn Wikileaks users not to load things from the Heihachi IP. ... AnonOps did not like our article update, here is what we said and what brought the ddos on us.'" At the conclusion of this message: "Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We’re not saying 'don’t go to Wikileaks' we’re saying 'Use the wikileaks.ch server instead.'" Here is Spamhaus's full warning.

AnonOps part of the problem, not the solution

[Animats]

I'm beginning to wonder if AnonOps/Anonymous is a false flag operation. They seem to be doing more harm than help to Wikileaks. Their targeting is inept (they previously targeted the wrong DNS provider), their timing is inept, and Wikileaks doesn't need them to stay on line.

Re:AnonOps part of the problem, not the solution

Dude, if you ever visisted /b/ you would not be suprised by anything evermore.

Re:AnonOps part of the problem, not the solution

[TaoPhoenix]

At least some complicated multi-layered variant of it. It's disturbingly like religious theory - "how do you prove it's not a false flag"?

The level of intensity of slick ops went through the roof these last few years.

Re:AnonOps part of the problem, not the solution

[MoonBuggy]

If they were operating under any suggestion of official support from Wikileaks I'd agree with you. As it stands I think they're just inept.

Re:AnonOps part of the problem, not the solution

[openfrog]

I'm beginning to wonder if AnonOps/Anonymous is a false flag operation. They seem to be doing more harm than help to Wikileaks. Their targeting is inept (they previously targeted the wrong DNS provider), their timing is inept, and Wikileaks doesn't need them to stay on line.

At last, this is coming out! I've been repeating this obvious thing on every Anonymous story that Slashdot has echoed out until now: we have no idea who is behind so called "Anonymous". A naive teenager is arrested from time to time to give credence to the myth that the Web is under the threat of unruly teenagers, opening the door to repressive legislation.

Now with this, we are beginning to get to hard facts, which should help us awaken our traditional media journalist friends: press, TV, radio. Congratulation for coming up with the term AnonOps. It tells the whole story in a nutshell.

Re:AnonOps part of the problem, not the solution

Of COURSE it's a false flag operation. The brave freedom fighters of Anonymous couldn't POSSIBLY be mistaken or misinformed in what they do. There's no way they're all just a bunch of kids with no idea what they're doing. The plan to DDOS Amazon to its knees was truly brilliant, in that it allowed the world to see how quickly Anonymous can shift their attack to new targets.

I, for one, welcome our new basement-dwelling, scat-loving overlords.

   

Re:AnonOps part of the problem, not the solution

[Opportunist]

How about adding another layer to the whole conspiration theory? AnonOps isn't a false flag operation, but since you can't tell who is Anonymous by their very nature, now false flag ops are popping up attacking "good" services and claiming it's AnonOps.

We sure are living in interesting times.

Re:AnonOps part of the problem, not the solution

Either inept or under orders to keep the kiddies that get caught up with them from getting real dead. Anon is kinda like the perpetual children's crusade of the Net... Brought to you by the letter 'E' as in 'ternal' and the month of September.

I wonder if they can help with the 'Grim Sleeper' case coming out of Los Angeles. They should distribute the pics to the darkest places and see if they can correlate any suspected victims with other material that might indicate whether being in the Sleeper pics is indicative of being a victim of a lone madman, or part of an underground porn ring.

This sort of thing doesn't take any talent, just knowledge of where to post.

Re:AnonOps part of the problem, not the solution

[EdZ]

I doubt everything, or even most things, that the various 'anonymous' (a singular unified label misses the entire point, but I digress) attributed activities have been false-flag. It does make for a neat cover, but a difficult and unruly one. To give any sort of credence that something is a 'legitmate' anonymous attack, it is almost defacto not accompanied with any sort of unified claim, but instead by nebulous consensus over numerous highly fluid websites and IRC channels. Faking that without unrelated members crying foul over obvious subversion attempts would be incredibly difficult, even even harder would be attempting to sway the actual anonymous DDOS attackers themselves. A few using LOIC might be fooled, but those who attack via self-controlled botnets (i.e. generate the majority of the required traffic) are likely to at least perform a cursory google of the proposed target.

tl;dr version: any agency attempting to spam with a target would be called out. Performing a DDOS then claiming it was anonymous without any corroboration would be equally obvious. Any attempting to sway opinion through a false majority would be promptly accused of samefaggotry and ignored.

Re:AnonOps part of the problem, not the solution

[OverlordQ]

Their targeting is inept (they previously targeted the wrong DNS provider), their timing is inept, and Wikileaks doesn't need them to stay

That sounds *exactly* like the people from 4chan.

Re:AnonOps part of the problem, not the solution

[HungryHobo]

Forget false flag ops.
What are the real wikileaks sites now???

Last time I checked wikileaks used self signed certs and at this point I'd love to simply see a interview with assange where he lists the "official" wikileaks sites and reads out some of their SSL certs.

is wikileaks.org still in the hands of the wikileaks organization or does the DHS control it now or some third party?
Or has it just been infected with malware to add a redirect?

Is their twitter account really them?

is there even any way for anyone to anonymously submit documents any more?

Re:AnonOps part of the problem, not the solution

[HungryHobo]

hell, is there even any verifiable way to communicate with any wikileaks staff any more?
Any PGP public keys? etc etc

Re:AnonOps part of the problem, not the solution

Let's check the allegations:

The original Wikileaks domain was wikileaks.org. Wikileaks has not used that domain in a while. The .org TLD is under the control of the USA (registry and registrar are both US based companies). It is unclear if Wikileaks is still in control of the wikileaks.org domain.

Spamhaus suggests that irc.anonops-irg.net is the address of the "Anonymous" coordination IRC server. The most current reference to an Anonops IRC server I could find names it irc.anonops-irc.org, which currently does not resolve. The page lists several changes of domain in the past days. It appears someone is sweeping up the abandoned domains and using them for (more) nefarious purposes. It is unclear if Anonymous is still connected to the domains listed in the Spamhaus warning.

The Spamhaus warning is probably right insofar that the listed domains are hosted by cybercrime outfits and pose a danger to anyone visiting them. The linking of Anonymous to these cybercrime outfits is possibly incorrect (other Anonymous domains are hosted at well-known commercial hosters). It will be interesting to see how the wikileaks.org domain got to point to wikileaks.info.

Since linking Wikileaks and Anonymous to cybercrime discredits both groups, it is quite conceivable that it's not just Russian gangs jumping on the opportunity but a FUD campaign by western three letter agencies. Nevertheless, heed the Spamhaus warning and stay away from wikileaks.org, wikileaks.info (and possibly all other wikileaks domains under TLDs which are operated by US registries). If you're thinking about downloading software from Anonymous and running it on your own computer, go ahead. No warning will cure that kind of stupidity.

Re:AnonOps part of the problem, not the solution

[man_of_mr_e]

Considering that there is no "membership" criteria to be part of Anonymous.. Anyone and Everyone who claims to be... IS. Therefore, I can go rob a bank and claim i'm part of Anonymous. It would be completely true.

That's the problem with an organization with no real structure or chain of command, there is no way to prevent people from doing things and claiming the group being responsible.

Re:AnonOps part of the problem, not the solution

[openfrog]

Faking that without unrelated members crying foul over obvious subversion attempts would be incredibly difficult, even even harder would be attempting to sway the actual anonymous DDOS attackers themselves. ...

tl;dr version: any agency attempting to spam with a target would be called out. Performing a DDOS then claiming it was anonymous without any corroboration would be equally obvious. Any attempting to sway opinion through a false majority would be promptly accused of samefaggotry and ignored.

You might as well be saying that black-ops in anti-globalization demonstrations cannot be manipulated, or cannot be themselves undercover agents, because it would be too difficult to fake a demonstration. By the way, there are videos on Youtube showing some particularly unruly of those black-ops to be members of the police force. This is the same thing here on the Web with Anonymous, but even easier to manipulate and to fake as they operate under the cover of deeper level of anonymity. Same approach, same techniques, same motives.

Re:AnonOps part of the problem, not the solution

[PeterBrett]

The Pirate Parties provide and administrate the wikileaks.ch network (note that the same network serves wikileaks.de and wikileaks.lu). Understandably, we all feel very strongly about the importance of whistleblowing and freedom of the press. I personally will vouch for those servers' integrity at this time. Specifically, Pirate Party members in the UK, Holland, Germany, Russia, Switzerland, Luxembourg and the Czech Republic have all donated servers.

I'm sorry that these servers are not currently available over SSL. As I understand it, some of these servers are hosted on IP addresses shared with other websites, and apparently this setup is incompatible with SSL. In addition, we have not yet identified a signing authority that we feel confident that would be resistant to coercion and subornation by agencies looking to discredit or manipulate Wikileaks. (Got a suggestion? Reply to this post!)

I'll re-raise the issue with the PPI organising committee, and see whether we can organise something. ;-)

I'm afraid that I can't speak for any of the Wikileaks-specific issues, such as document submission or the status of the wikileaks.org domain.

Re:AnonOps part of the problem, not the solution

[cheater512]

StartSSL is well priced and is completely based in Israel I believe. Awful website but they would probably be your best bet.
Yes they issue valid certificates themselves - they dont resell Verisign or similar.

Re:AnonOps part of the problem, not the solution

[Dan541]

There is a chain of command behind AnonOPs ddos attacks. The people running the anonops IRC network appear to be pulling most of the strings.

Some script kiddies have lone wolfed targets to no avail and some have organised independently to attack in groups. These small attacks always fail but the large one's are coordinated by a command hierarchy within the IRC network.

Although there seems to be allot of confusion amongst the script kiddies; some even claiming "We have no leader!" yea then who is setting the !lazor command?

Re:AnonOps part of the problem, not the solution

[dbIII]

hell, is there even any verifiable way to communicate with any wikileaks staff any more?

Hitting one of them with a court order on charges of something like being a two-timing bastard in Sweden works.

Re:AnonOps part of the problem, not the solution

[Anthony+Mouse]

So I'm going to post this near the beginning of the thread since the OP is correct but confusing and the signal to noise ratio in the comments is terrible. It appears the general consensus is this:

1) Russian criminals have control over the wikileaks.org and wikileaks.info domains and are distributing malware. The current real wikileaks website is wikileaks.ch.

2) Spamhaus has been telling people about (1).

3) The Russian criminals are now retaliating by using their botnets to DDoS Spamhaus under the flag of AnonOps.

4) Some of the people who call themselves Anonymous may or may not also be participating in the DDoS against Spamhaus because they are idiots.

Re:AnonOps part of the problem, not the solution

[MokuMokuRyoushi]

How can Anonymous be anti First Amendment? They aren't the government

Interestingly, you can't prove that, now can you? Make of this point of view what you will.

Re:AnonOps part of the problem, not the solution

[Haeleth]

This is the same thing here on the Web with Anonymous, but even easier to manipulate and to fake as they operate under the cover of deeper level of anonymity. Same approach, same techniques, same motives.

Not so. The dynamic is totally different. A demonstration is basically a ruly mob, and can be subverted into an unruly mob; the thing is that its members are physically surrounded by other people, do not have time to think or easy access to relevant information, can only communicate with great difficulty and only with a handful of people, often literally cannot leave until the demonstration is over, and are going to be faced with physical responses that can cause them to experience fear or panic. None of this is true online, where participants can easily pause, think, research, discuss things with one another, and any one of them can directly challenge anyone they think is trying to subvert their activities.

In short, there is simply no realistic comparison between the situations, and online protests are much, much harder to manipulate.

Re:AnonOps part of the problem, not the solution

[choko]

It is very possible that Israel would buckle to political pressure from the US, given the vast amounts military aid they have been provided by the US...

As if a DDoS wasn't enough...

[e9th]

now they're slashdotted, too.

Re:As if a DDoS wasn't enough...

[PatPending]

Was it really a good idea to post that link on slashdot - to a DDoS:ed site?

In general, no. However in this case, it is worth noting this:

Spamhaus is currently under a 2.1Gbps DDOS attack which began at 05:20 CET. As we are used to DDOS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.

Say wha?

I just asked anonops about it, they're not attacking spamhaus.

Re:Say wha?

I just asked them and they say they are.

kids these days

[girlintraining]

When you have a large DDoS tool at your beck and call, who has time to bother with accuracy and trifling details like the truth? This is just further evidence that "anonymous" is some unemployed young adult.

The profile of anonymous becomes less and less one of sophistication and intelligence and more that of teenage angst and a limited understanding of technology daily.

Re:kids these days

[openfrog]

When you have a large DDoS tool at your beck and call, who has time to bother with accuracy and trifling details like the truth? This is just further evidence that "anonymous" is some unemployed young adult.

The profile of anonymous becomes less and less one of sophistication and intelligence and more that of teenage angst and a limited understanding of technology daily.

From TFA:

The Webalta 92.241.160.0/19 netblock has been listed on the Spamhaus Block List (SBL) since October 2008. Spamhaus regards the Russian Webalta host (also known as Wahome) as being "blackhat" - a known cybercrime host from whose IP space Spamhaus only sees malware/virus hosting, botnet C&Cs, phishing and other cybercriminal activities.

I sympathize with your impatience with the idiocy that is Anonymous, but what this goes on to show here is that Anonymous, or now better referred to as AnonOps, is NOT unruly teenagers as media have been dutifully reporting, but something else.

The poster above referring to Anonymous as a potential 'false flag' operation has it right. Whether it was started by real teenagers or not is inconsequential: it plays in the interests of those wanting to swerve public opinion in the direction of repressive legislation and it is all too easy to attribute any kind of stunt on "Anonymous", whomever is really behind it.

Re:kids these days

[rtyhurst]

It looks like it's more dangerous to attack the Russian mafia than the US government.

I don't think so

[Sycraft-fu]

I think they are just angry idiots with too much time on their hands. There's a reason why vigilantism is so frowned upon and force out in a civilized society: Vigilantes suck at justice. They shoot first, ask questions later. They are all about the Great Cause(tm) whatever that cause happens to be and don't do a good job thinking about any trouble they cause.

Now this is made even worse by the /b/tards because they are not very organized, operate with what they believe to be impunity, and are often kids.

So my bet is not a false flag op, just a bunch of dumbasses causing trouble. They've decided that Wikileaks will be their Great Cause(tm), until they get bored and find something else, and lash out at any perceived enemies of it without thinking about it.

Re:I don't think so

[HomelessInLaJolla]

There's a reason why vigilantism is so frowned upon and force out in a civilized society: Vigilantes suck at justice

The United States of America is obviously not a civilized society. My personal experience with La Jolla, CA, indicates that vigilanteism is the general rule--and not vigilanteism to combat high profile violent crime or high cost white collar crime ... no, people like to be vigilantes just to go around playing surrogate parent against the homeless, or hoping to be the next one to call the police on street people.

Vigilanteism isn't about justice. It's about being the person with the juiciest gossip.

just a bunch of dumbasses causing trouble.

A very good description of the retired folks, the dog-walkers, the neighborhood watch, and the wealthy snobs around my area. Their entire method of life involves: provoke problem where there was none, call police.

If they happen to catch one of the actual drunks or dumpster diving troublemakers then they give themselves extra credit. Maybe harassing me is practice for them. :-(

Re:I don't think so

[Shakrai]

The United States of America is obviously not a civilized society. My personal experience with La Jolla, CA

So you've drawn conclusions about an entire society based on your experiences in one city?

Re:I don't think so

[MakinBacon]

They're just a bunch of stupid teenage script kiddies who think they're being "1337 haxxors" by running scripts other people made. They don't care if they're actually doing more to silence free speech than the US government is, as far as they're concerned, they're "sticking it to the man".

I'd wager that most of them have never even read the comic book that V for Vendetta (the movie) was based on.

Re:I don't think so

[zach_the_lizard]

If you haven't noticed, we are still in the midst of a recession. Work is still hard to come by. Example: A fast food restaurant in town was hiring lately, and they received 300 applications for 1 position, roughly equivalent to 1% of everyone in the county applying for the same job.

(Interestingly enough, unemployment in town is relatively low (still high for the young, though), but just about everyone works outside of town.)

Re:I don't think so

[The_mad_linguist]

He's generalizing from a small subset to the entire group of people.

Everyone does it.

Or at least, I do.

Spamhaus announcement

[pinkushun]

In the case of it getting /.'ed or DOS'd (like TFA link to nanozen.info)

Wikileaks Mirror Malware Warning
2010-12-14 17:00 GMT, by Quentin Jenkins

On Monday Spamhaus became aware that the main Wikileaks website, wikileaks.org, was redirecting web traffic to a 3rd party mirror site, mirror.wikileaks.info. This new web site is hosted in a very dangerous "neighborhood", Webalta's 92.241.160.0/19 IP address space, a "blackhat" network which Spamhaus believes caters primarily to, or is under the control of, Russian cybercriminals.

Important: this warning is issued only for wikileaks.INFO, NOT Wikileaks itself or any other Wikileaks site. Wikileaks.info is NOT connected with Julian Assange or the Wikileaks organization. For a list of real Wikileaks mirror sites please go to wikileaks.ch

The Webalta 92.241.160.0/19 netblock has been listed on the Spamhaus Block List (SBL) since October 2008. Spamhaus regards the Russian Webalta host (also known as Wahome) as being "blackhat" - a known cybercrime host from whose IP space Spamhaus only sees malware/virus hosting, botnet C&Cs, phishing and other cybercriminal activities. These include routing traffic for Russian cybercriminals who use malware to infect the computers of thousands of Russian citizens.

The fact that recently some unknown person or persons decided to put a Wikileaks mirror on Webalta IP address 92.241.190.202 should raise an alarm; how was it placed there and by whom. Our concern is that any Wikileaks archive posted on a site that is hosted in Webalta space might be infected with malware. Since the main wikileaks.org website now transparently redirects visitors to mirror.wikileaks.info and thus directly into Webalta's controlled IP address space, there is substantial risk that any malware infection would spread widely.

Spamhaus also notes that the DNS for wikileaks.info is controlled by Webalta's even more blackhat webhosting reseller "heihachi.net", as evidenced by the DNS records for the domain:

wikileaks.info. 14400 IN A 92.241.190.202
wikileaks.info. 14400 IN NS ns2.heihachi.net.
wikileaks.info. 14400 IN NS ns1.heihachi.net.

Spamhaus has for over a year regarded Heihachi as an outfit run 'by criminals for criminals' in the same mould as the criminal Estdomains. The Panama-registered but Russian/German-run heihachi.net is highly involved in botnet command and control and the hosting of Russian cybercrime.

We also note that the content at mirror.wikileaks.info is rather unlike what's at the real Wikileaks mirrors which suggests that the wikileaks.info site may not be under the control of Wikileaks itself, but rather some other group. You can find the real site at wikileaks.ch, wikileaks.is, wikileaks.nl, and many other mirror sites around the world.

Spamhaus takes no political stand on the Wikileaks affair. We do have an interest in preventing spam and related types of internet abuse however and hope that the Wikileaks staff will quickly address the hosting issue to remove the possibility of cybercriminals using Wikileaks traffic for illicit purposes.

More information on the SBL listing of Webalta's 92.241.160.0/19 is here:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL68370

Spamhaus is not alone in issuing this Wikileaks mirror malware caution. On Sunday researcher Feike Hacquebord at fellow anti-spam system Trend Micro issued a similar warning in the Trend Micro Malware Blog. (http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/)

Re:Spamhaus announcement

[jfengel]

Ah. I was wondering why Spamhaus would bother having an opinion. Answer: if you get your Wikileaks download from the dot-info site, it might be malware infested, because everything else from that domain is. Go download it from somewhere else.

It would be helpful if Wikileaks were to at least put up hashes of the downloads. That would make it abundantly clear if the dot-info site were including malware. But I suppose they've got other things to worry about.

my guess

the russian criminals are using the whole wikileaks/anonymous affair as a cover to attack one of their archenemies: spamhaus, while trying to paint spamhaus as the bad guys.

Re:Doesnt look like anon to me

[haderytn]

I trust them to be unable to keep a secret.

Please note:

[guruevi]

1) This DDoS attack does not seem to be originating from Anonymous but from AnonOps which is a cybergang-related IRC server and the DDoS seems to be originating from a real botnet of hijacked Windows computers, not LOIC.
2) Spamhaus warned about wikileaks.info which seems to be hosted by the same criminals and is posting false Wikileaks statements.
3) Wikileaks.org has been taken over by these criminals and is redirecting to http://mirror.wikileaks.info/ which is NOT sourcing from wikileaks.ch (and other mirrors like http://www.wlmirror.com/)

It seems to me the US Gov'mint has 'fixed' their Wikileaks problem by a campaign of misinformation and probably paid these Russian criminals to host the false Wikileaks site. It wouldn't surprise me if the wikileaks.info sites started to have certain damning documents disappear or specific ones infected just to track who's reading what.

Re:Please note:

[jfengel]

Any idea why the Russian criminals waited this long to attack Spamhaus? They've been enemies the whole time. I assume Spamhaus has always had mighty powerful anti-DDoS tools.

Perhaps they're redirecting some of their spam power to the DDoS instead, using the Wikileaks story as some kind of cover for that. (Though I don't really get it; they don't need it.) I wonder if that would show up as a drop in spam traffic, though unfortunately, you wouldn't be able to use Spamhaus to measure that.

Re:Please note:

[Dachannien]

It seems to me the US Gov'mint has 'fixed' their Wikileaks problem by a campaign of misinformation and probably paid these Russian criminals to host the false Wikileaks site.

What makes you certain that the US is behind this? There's at least a possibility that the Russian government is doing this on the basis of attempting to prevent the release of documents that are embarrassing to the Russian government. They even get free plausible deniability because everyone's going to point fingers at the US government.

Yeah Yeah Blame AnonOps

[Haedrian]

Anonymous is very weird to understand. It functions similar to a terrorist bloc (note I am not calling anyone a terrorist).

If I toss a bomb in the middle of a street and kill 50 people - and I write "Terrorist Group X was here" - who's to say it wasn't them? Or if say a terrorist group decides to take credit for the BP spill - who's to say its not?

Its impossible to work out whether it was anon or not. Its impossible to actually call 'anon' a group. Its just a bunch of people who - at will - decide to partake in DDOS attacks. Its not a collective body, its a number of individuals - and its stupid to think otherwise. If I'm in a group with 100 people, and someone says "Lets DDOS Bank of America", if I agree with it, I'll take part. If someone says "Lets DDOS Spamhaus", and I disagree, I won't take part. There's no real leader. Its all chaotic.

So enough with blaming anonymous for this ddos. For a start you have no proof. To continue, anon isn't a group - its a bunch of people following 'random' leaders, and the ranks change frequently depending on who feels like 'some lulz' that day, and who agrees or not.

In fact how do you determine an action as being done by Anon? Done by the 'leader' ? No real leader. Done by a large amount of the group? Not a very good measure.

If I succeed in telling (say) 50% of anonymous that attacking this site is for their better - then will 'anonymous' be attacking the site? Does it matter?

Summary: Anonymous isn't a rigid structure with leaders, anonymous is an amount of individuals who individually follow a leader at that point in time because they agree with that leader at that point.

Re:Yeah Yeah Blame AnonOps

[horza]

Impressive, you got this far down the thread without reading any comments at all.

Phillip.
PS bunch of Russian criminals != Anonymous

Spamhaus jumping to conclusions?

[leromarinvit]

Spamhaus seems to be pretty quick in assuming that wikileaks.info is malicious.

Apparently the site is hosted by a Russian company known to host malware and phishing sites. But how does this prove anything? They might as well be ordinary customers of a webhoster who doesn't take sites down easily.

Somebody who won't take malware sites down probably won't bow to political pressure to take down a Wikileaks mirror - or so they hope. "Outlaws" of whatever kind have a very reasonable interest in common: to evade prosecution and punishment. Whether you're stealing credit card numbers or publishing government/corporate secrets doesn't matter in this context.

Re:Spamhaus jumping to conclusions?

[jav1231]

"Apparently the site is hosted by a Russian company known to host malware and phishing sites. But how does this prove anything?"

No. But they say that hot chic down the street has the clap...and she's flirting with you. What could happen?

Re:Spamhaus jumping to conclusions?

[dbIII]

It's the same sort of assumption that would be made if Charles Manson opened a childcare centre and dingo petting zoo. Once trust is lost it is very hard to get it back. If they have been using similar sounding URLs to popular sites in the past to spread malware how do we know they are not doing it again?

Hanlon's Razor strikes again!

[splerdu]

Never attribute to malice that which is adequately explained by stupidity.
+1 for you, sir.

ok well lets take a wikieak here + have a look

[bpsheen]

Screw all this talk, lets look at the page source code and go from there. I booted Knoppix, and pulled up Iceweasel and copy and pasted the page source from wikileaks.info. My html and Javascript skills are not the sharpest. My skills are best in other areas. However, I noticed there is too much talk and not enough transparency here so I posted the page source so hopefully someone would analyze it and talk about the contents rather than jumping on sides of the arguments like some deranged trolls. Lets have a discussion that not owned by a bunch of drama queens, True geeks work with logic, not Drama. End of anti-troll rant.. Heres the pastebin link. http://pastebin.com/dyMkdZEG

Re:ok well lets take a wikieak here + have a look

mirror.wikileaks.info actually seems to be more useful than wikileaks.ch at the moment. It contains all the old leaks in the old (better imho) wikileaks format, together with the wikileaks analysis articles. It also contains links to the new leaks found on wikileaks.ch. I've checked a few of the articles there, and they all look just like I remembered. I couldn't see anything wrong.

I agree that it is strange that the site still uses the old format. It is also strange that the old leaks (from before the Afghanistan, Irak and Cable stuff) aren't available at wikileaks.ch. I'm not sure what to think, but I am far from convinced that there is anything wrong with the .info mirror.

Re:ok well lets take a wikieak here + have a look

[hat_eater]

Yeah, their press release also contains a link to Google Safe Browsing info that clears them of any wrongdoing. If I were them, I'd also wait some time for peoples defenses to come down, for them to add a NoScript exception for this page, before inserting anything malicious into the code. It might be they're simply rooting for WikiLeaks, but I wouldn't bet on it. This press release in which they come very close to impersonating the WikiLeaks team is rather damning.

Don't underestimate the tards

[box2]

It seems much more plausible that either this wikileaks.info related cybergang is performing the DDoS themselves, stirring up other communities to perform DDoS, or both. I have no experience with this AnonOps group, but I have spent a lot of time looking at *chan culture. As haphazard as a collection of 'anonymous' users generally is, they do not actually get to the point of performing an attack against something without hearing many sides to the story. That is one of the benefits of having so many individuals actively involved rather than an army unthinking zombie computers.

For example, given enough .jpg's, between their collective experience they can collate enough data to link seemingly completely unrelated photos to the same household or person. I have seen this happen over the course of a few threads and the experience was like watching a higher consciousness at work. It totally blew me away.

They will have people who actually do look at what is specifically being blocked by Spamhaus, why, and verify the authenticity of said claims. When you have threads of people calling for destruction it may be hard to turn away the mod mentality, but when people start posting clear facts it can and will do so, leading to the impending attack falling apart before it reaches critical mass.

I don't know much about this AnonOps group as of now, but if they are made up of enough individuals even this article will definitely reach them. As to if they will care, depends what their real goal is I suppose.

Re:Wikileaks.info response posted

[dbreeze]

http://www.spamhaus.org/news.lasso?article=665

Update 15 December

In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus's information on his infamous cybercrime host "false" and "none of {your} business" and called on people to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never did) and others claiming we are "a pawn of US Government Agencies".

None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.

Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at wikileaks.ch.

Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian and German malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it.

Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server instead".

Update 18 December

A DDOS attack was launched on www.spamhaus.org today in retaliation for us warning Internet users about the Russian-German cyber criminals behind the Wikileaks mirror wikileaks.info.

Spamhaus is currently under a 2.1Gbps DDOS attack which began at 05:20 CET. As we are used to DDOS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.

By no coincidence, the 'AnonOps' DDOS group irc.anonops.net is also hosted by the same Heihachi Russian-German cybercrime gang in the same CIDR as wikileaks.info:

wikileaks.info = 92.241.190.202
irc.anonops.net = 92.241.190.94

In addition to the LOIC and *OIC tools issued to dimwitted script kiddies to DDOS "enemies of Anon" with, AnonOps appears to be now escalating its DDOS attacks using dedicated criminal botnets (botnets of illegally hijacked PCs), and now appears to be directing DDOS attacks not at "enemies of Wikileaks" but at "enemies of our criminal bosses".

There is palpable irony in a DDOS being used to prevent exposure of a probably-false Wikileaks mirror that could potentially harm Wikileaks and Wikileaks readers. We hope that AnonOps supporters appreciate the irony as much as we do.

wikileags.org domain

[Compaqt]

The thing I don't get is how they were able to wrest control of wikileaks.org.

The .org domain was with DynaDot and they had (and still have) CLIENT TRANSFER PROHIBITED set.

So why would a US-based domain firm which suspended Wikileaks in fear of the US government then control back over to either
1) a group purporting to be WikiLeaks, or
2) a group they knew was Russian criminals

?

Re:spamhaus ticks off everyone.

[Kalriath]

That's SORBS, not Spamhaus. Fact check much?

Re:Wikileaks.info response posted MORE UPDATES

[dbreeze]

http://www.spamhaus.org/news.lasso?article=665

Update 18 December ***Incorrect data redacted*** (click to read)

[See newer information on DDoS in update below]

A DDoS attack was launched on www.spamhaus.org today in retaliation for us warning Internet users about the Russian-German cyber criminals behind the Wikileaks mirror wikileaks.info.

Spamhaus is currently under a 2.1Gbps DDoS attack which began at 05:20 CET. As we are used to DDoS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.

By no coincidence, the 'AnonOps' DDoS group irc.anonops.net is also hosted by the same Heihachi Russian-German cybercrime gang in the same CIDR as wikileaks.info:

wikileaks.info = 92.241.190.202
irc.anonops.net = 92.241.190.94

In addition to the LOIC and *OIC tools issued to dimwitted script kiddies to DDoS "enemies of Anon" with, AnonOps appears to be now escalating its DDoS attacks using dedicated criminal botnets (botnets of illegally hijacked PCs), and now appears to be directing DDoS attacks not at "enemies of Wikileaks" but at "enemies of our criminal bosses".

There is palpable irony in a DDoS being used to prevent exposure of a probably-false Wikileaks mirror that could potentially harm Wikileaks and Wikileaks readers. We hope that AnonOps supporters appreciate the irony as much as we do.

Update 19 December

We have been analyzing the traffic patters of the attempted DDoS attack against Spamhaus that started yesterday. We are seeing that it is made up of UDP and Syn flood type packets. This is not the profile of DDoS traffic from the LOIC and other *OIC tools issued to script kiddies to DDoS "enemies of Anon" with. In fact, at some semi-private forums, the AnonOps members have denied the DDoS and have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about. Rumors are that they have also distanced themselves from members who were promoting the use of botnets to attack sites.

This now looks far more likely to be the work of people running, or hosting at, Webalta or the Heihachi cybercrime group. Possibly angered with the attention this wikileaks.info article brought to their dirty section of the internet. When one hosts spam servers, malware, Zeus and other botnet command and control (C&C) servers, bank phish sites and "backends", child exploitation sites and other badness, keeping off-the-radar is a must. Perhaps Russian authorities are now looking closer at this Webalta and its datacenter, as Russian citizens and banks are often the target of the people running systems there.

As we do when hit by these attacks, Spamhaus is working with both network experts and law-enforcement agencies to find and shut down the botnet used for the DDoS and to try and track who may be behind it.