Preliminary analysis of Anonymosus-OS: lame, but no obvious malware

On Ars Technica, Sean Gallagher delves into the Anonymosus-OS, an Ubuntu Linux derivative I wrote about yesterday that billed itself as an OS for Anonymous, with a number of security/hacking tools pre-installed. Sean's conclusions is that, contrary to rumor, there's not any malware visible in the package, but there's plenty of dubious "security" tools like the Low Orbit Ion Cannon: "I don't know how much more booby-trapped a tool can get than pointing authorities right back at your IP address as LOIC does without being modified."

As far as I can tell, Sean hasn't compared the package checksums for Anonymosus-OS, which would be an important and easy (though tedious) step for anyone who was worried about the OS hiding malware to take.

Update: Sean's done the checksum comparison and found 143 files that don't match up with the published versions.

Some of the tools are of questionable value, and the attack tools might well be booby-trapped in some way. But I don't know how much more booby-trapped a tool can get than pointing authorities right back at your IP address as LOIC does without being modified.

Most of the stuff in the "Anonymous" menu here is widely available as open source or as Web-based tools—in fact, a number of the tools are just links to websites, such as the MD5 hash cracker MD5Crack Web. But it's clear there are a number of tools here that are in daily use by AnonOps and others, including the encryption tool they've taken to using for passing target information back and forth.

Lame hacker tool or trojan delivery device? Hands on with Anonymous-OS


      1. One point of clarification: While OpenBSD’s clean, spare, somewhat minimalist approach helps(in the sense that you aren’t going to see “Now with twitfriendstream/adtrackme integration in the shell!!!” in the changelogs any time soon…) OpenBSD is largely paranoid in the “I am trying to run a secure server and/or firewall here, the internet is a terribly dangerous place that is trying to hack me” sense rather than the “I’m trying to own a PC without being a cog in a Benthamite dystopia here, everything I do over the internet is probably being data-mined” sense.

        A solid, serious, non-nonsense focus on security certainly doesn’t hurt(and the default install certainly doesn’t bleed personal info to the mothership like those cool kids in the mobile world); and OpenBSD supports a variety of VPNs and things; but it doesn’t really do much to deal with ‘privacy’ as a problem that extends beyond the bounds of your hardware.

        The “Keeping your PC yours, with a classic Unix Flavor” ethos is certainly a good starting point; but (without additional and nontrivial effort) an ISP using Phorm or an advertiser doing cross-site cookie tracking will have no harder time with an OpenBSD/lynx box than with a WinME/IE5.5 box(possibly easier, actually; because OpenBSD useragents are extremely rare, and thus visible…)

  1. If it is using Ubuntu Lenses, then it must be a fake; a Lubuntu or Puppy Linux variant would be more likely to be a proper tool for Anons.

    1. Puppy, for sure, I’ve been wondering why no one has a high security puplet. It’s already my low impact OS, but I rely on the lack of disk access and live sessions, which is only keeping my box inaccessible, but not invisible. I personally have had the most success with v. 4.2.0, even though the Ubu integration was nice, it’s too easy to break since 5.x and the original generic Vesa ran way better on my systems than the proprietary or optional legacy since. 

  2. IT saddens me that increasingly people think the solution to a software problem is “spin a custom OS” not “recommend people install a set of packages”.  Especially since it’s so EASY to install packages nowadays.

    1. This particular spin is rather pathetic, basically an enworsened flavor of backtrack with lurid branding; but there is something to be said for custom OS spins…
      If you want hard separation of session A and session B, either because you are up to no good in session B, or because you are worried about what session A might have picked up and want to do a bit of banking, or whatever, booting a session B spun for the purpose, and set not to touch any HDDs, from a CD is by far the easiest way to do it.

      All the “Download and install a whole damn OS because you want a new desktop background!” ‘ThemeBuntu’ arrangements are nonsense; but(while admittedly not elegant) a liveCD or VM is still the easiest way of getting reasonably full separation between two sessions, with minimal risk of malware attacks between the two, or evidence of one leaking into the other.

      1. Since you mentioned the BT word… I’ve been trying to work with the recent release of 5r2, but I’m still a bit too much a Lin00b for a proper installation. I’d like to find a way to learn more about it, away from the BT forums as DSec is… cocky… to say the least when it comes to n00bs. If there’s a distro geared to Anon, we need to consider the intent of an Anon. In my mind, this distro is Little Brothers’ Paranoia in the making. At the same time, I’m campaigning for an open Anon, in which those of us who can admit being involved can speak on behalf of Anon in daily life, IRL. This combo means that a lot of kids less savvy than I are going to be hunting down whatever sounds good, assuming that a safe OS is plug and play. BoingBoing, with it’s combo of expertise and devotion to freedoms would be an amazing place for Security Experts to teach n00bs how to *responsibly* use a distribution used for data analysis. Telling kids not to use it if they don’t understand it is futile. It’s better they understand it rather than repeatedly click the brute force buttons to see what they do… Can BB put its head together to create Lil’ BrOS? 

        Anyone read “Chaos in Cyberculture” lately? Haven’t read it since it was new, but… ZOMG!

  3. Anyone who needs to get someone else to pre-package their OS for them won’t survive very long as an Anonymous activist, burden by malware or not. 

    1. Cynically speaking, the more competent members would probably be very sensible to release some ‘point-‘n-haxx0r’ tools in order to take advantage of their hangers-on who are old enough for computerized mischief; but too young for prosecution as adults…

      Given the number of soft targets out there, it is likely that even suitably equipped kiddies can cause some genuine damage, especially if backed up by a specialist or two, and having a bunch of maladjusted 14 year olds LOIC-ing everything in sight probably wastes a lot of law enforcement time and provides some amount of ‘chaff’ to cover the subtler activities of the core experts.

      1. That defeats any mutually positive effects of what should have been a temporary attention grabber. LOIC, that is. These kids need REAL teachers. Someone who can explain to them the power they wield. Someone who does so with a hint of oversight.

        Is this not the home of the Children of Eris? Is this not the continuation of Thornley and Hill’s OpMindF***? Tim Leary’s “Future Breed”? You talk like we should let these kids get thrown to the wolves because of genuine naivety and one source of suggestions for reality hacking.  

        I’m currently actively encouraging a new “Meeting of the Tribes”. I’m just the right age to be a torch bearer from the post-psychedelic generation to the post-cyberpunk generation. I’m lucky to have stumbled onto Discordianism as a teen, as I could see most of my generation being sheltered from the esoteric elements of the psychedelic culture while being bombarded by sugar-coated tributes to the fashion and a summary of the civil rights movement. I feared Leary and Wilson would be lost at the time. They were my own heroes, but I invoke them as representatives who understood the importance of teaching kids.

        On the West Coast, I imagine a wealth of resources for kids can be accessed, but in areas where IRL geeks are a commodity, it can be tough to learn practical skills. I try to do my tiny little part, confused in big tech world, but there must be a way to *help* skids be as competent as many wish to be, without the false security of being called Anon.

        I don’t know the actual solution, short of running another honeypot to round up kids acting foolish and teach them responsible advanced Internet usage. If a community like BB doesn’t, who else will… and does?

    1. I’d love it… If I didn’t have to quietly figure it out for myself… A safety guide for inevitable n00bs would be great, as it’s better than letting potentially smart kids fend for themselves and make a dumb mistake. It’s not like an Anon can get into the training program if they slip for a half sec, they kinda screen for that these days when accepting applications at BT Academy. So I’m just learning to Bash and write Python in hopes it all starts to make sense soon. BoingBoingSec?

  4. How come you keep calling it “Anonymosus OS?” I thought it was a typo in the first post, but here it crops up again. Is it some kind of in-joke?

  5. I’ve got the official Anonymous secret decoder ring and the lunchbox & thermos are in the mail.

  6. Wait… wait… with all that chicken clucking cacophony… I thought it was confirmed that there was tons of malware in this distro?

    What say you now, clucking chickens?  Sigh…  fuckin’ cluckin’ chickens…

  7. To avoid using distasteful chanspeak (you know, the kind that uses f*g as a suffix) that’d probably get me disemvoweled, I think the best way of describing anyone who would pull down an Anonymous-skinned Ubuntu instead of, you know, getting a known safe and stable OS image and packages from a trusted community repo, is simply this: Poseur.

    This is the same group who were the target of the Zeus trojan infection packaged with what claimed to be LOIC (or a variant). Don’t trust a masked dude on youtube with kernel access to your machine, kids. 

    1. The problem is, it’s inevitable. Yeah, a lot of older kids are gonna think of Adm Akkbar, but new kids are *vaguely* exposed to Anon everyday. There are many faces to Anon, but one is that of the naive youth, an unhappy mutant just opening their eyes. I feel that many of us in the world of boingboing have a genuine solemn *duty* to help guide new cybernauts through this world we’ve left for them. I’ll speak as a 90’s Discordian in saying that these “Poseurs” are the blank canvases that are seeking Eris. What would Joshua Norton do? Tim? Bob? Omar? Malaclypse? Burroughs? “Duke”? I can’t guide Anons to Eris alone, but every bit of my soul wants to encourage Anons to take off the mask and continue chaos, to the point that I’m preaching the Principia to obvious Twitter feds for mass exposure of the words.  I’m even working on music in the Anon motif to spread that message: Why is there such a negative attitude, mutants? We were all n00bs once. C’mon Cory, you know you’d love to see Lil’BrOS. :) Anyone?

  8. It’s sad but I have to say anyone who downloads this and thinks “I iz a haxxor nao!” then thinks they can DDOS/LOIC the internet veiled in 100% secrecy much less 1% deserves whatever happens to them, including legal ramifications.

    People who know what they’re doing don’t need this. People who don’t know what they’re doing shouldn’t use this.

Comments are closed.