Anonymosus-OS: the checksums that don't check out

Further to the ignoble saga of Anonymosus-OS, an Ubuntu variant targeted as people who want to participate in Anonymous actions: Sean Gallagher has done the legwork to compare the checksums of the packages included in the OS with their canonical versions and has found a long list of files that have been modified. Some of these ("usr/share/gnome/help/tomboy/eu/figures/tomboy-pinup.png: FAILED") are vanishingly unlikely to be malware, while others ("usr/share/ubiquity/apt-setup") are more alarming.

None of this is conclusive proof of malware in the OS, but it is further reason not to trust it -- if you're going to produce this kind of project and modify the packages so that they don't check, you really should document the alterations you've made.

all.md5 > /dev/shm/check.txt
md5sum: WARNING: 143 of 95805 computed checksums did NOT match
anonymous@anonymous:/$ grep -v ': OK$' /dev/shm/check.txt
usr/share/locale-langpack/en_AU/LC_MESSAGES/ FAILED
usr/share/locale-langpack/en_GB/LC_MESSAGES/ FAILED
usr/share/applications/language-selector.desktop: FAILED
usr/share/locale-langpack/en_GB/LC_MESSAGES/ FAILED
usr/share/locale-langpack/en_CA/LC_MESSAGES/ FAILED
usr/share/locale-langpack/en_GB/LC_MESSAGES/ FAILED
usr/share/locale-langpack/en_AU/LC_MESSAGES/ FAILED
usr/share/doc/libxcb-render0/changelog.Debian.gz: FAILED...

The bad checksums in Anonymous-OS (Thanks, Sean!)


  1. Looks like Sean Gallagher actually ran Anonymosus-OS in order to run the checksums. Dumb, dumb dumb.

    Mount the Anonymosus-OS image readonly, noexec, with a trusted known-good operating system. Then use *THAT* operating system’s checksum tools to examine the files.

      1. That would protect your system(barring some very fancy VM exploit that would be worth so much for precision attacks on high value targets that they can likely be ignored here); but it wouldn’t solve the “if you are going to tamper with the OS, you should probably bug the tools that somebody would use to check for tampering” problem.(though freezing the VM and mounting its disk any time that suited you wouldn’t be so terribly difficult, and it’s easier than finding a physical computer with a CD-ROM drive, at least in my house.)

    1.  or not paranoid enough to suspect it’s a ringer put out by an Alphabets agency.  Yes i know that is probably giving them too much credit, but hey ‘even a blind squirrel finds a nut’ as they say.

  2. “Of course this OS is safe and can be used for activities that you don’t want to be traced back to you! A bunch of anonymous hackers assure you of its integrity. See, we’re wearing a Guy Fawkes mask! Only good people do that.”

  3. The vast majority of those are UI.

    I’d like to see the diffs between the others, but I’m guessing those are UI changes as well. Wouldn’t bet my life on it, but it does seem somewhat likely.

    1.  Kinda heavy handed of them to change the files rather than creating an alternate theme alongside the Gnome default. If that is what they have done. Or could it be a cause of steganography?

      1. From what I saw in another review of it, yeah, it’s heavy handed. The sum up of it was Anonymous didn’t do it because they wouldn’t want their name associated with something done this badly.

        Of course, I thought LOIC was VB, so maybe that’s wrong.

          1.  LOIC is C#. It runs fine with Mono. It doesn’t build with Mono, because the developers are jackasses who closed by simple bugfix as WONTFIX.

  4. oy.  Kind of makes me reconsider the “program or be programmed” concept, at least insofar as a little knowledge of programming can be a dangerous thing if one assumes there are other people who don’t know a whole lot more. 

  5. … the files in the example are translation text files and shortcut descriptors, and completely harmless – incidentally. :)

  6. .mo files are i18n (translations), .desktop files are more or less launchers, then some changelogs and image files. apt-setup is from ubiquity, the livecd  installer, so it seems that most of the changes are due to the media customization.

    I wouldn’t use it, but there’s nothing immediately suspicious there.

    1. Spending another 20 seconds or so before submitting on weeding out all the obviously harmless changes would have made for a more compelling post, ye. :)

      There are a few things I’d like to see a bit more about, though. In no particular order:

      At this point I’d be surprised if there was anything dodgy in any of them, but still.

  7. I certainly have no reason to trust this particular spin; but you’d expect a fair number of changes in UI-related packages and package install lists. It does, after all, look different and have different packages installed…

    The risk I’d be inclined to worry about would be anything that simply doesn’t have an analogous package in Ubuntu(or isn’t installed via a package at all: package management is a convenience, there is no enforcement against manually added stuff).

    There would be nothing stopping somebody from, say, using a dead-stock Ubuntu kernel, MD5s right from the factory; and loading a bugged kernel module stashed manually in the filesystem somewhere. Modifying the package directly would be deeply suspicious; but there is absolutely no requirement that all kernel modules be provided by the package that has ‘kernel-modules’ somewhere in the name.

    Kernel modules would just be an example, of course, a suitably clever and malicious actor could overlay enough goodies to compromise the system in all sorts of places without touching the packages or package manager at all…

    1. No, it’s a Cory thing, for reasons he hasn’t ever explained why. The project itself is just called Anonymous-OS with no extra ‘s’. And that’s the way all the rest of the press has described it.

      I think Cory just typoed in the first post and has decided to keep it that way ever since (Cory isn’t the best at admitting mistakes here… ;)

  8. If you already use Ubuntu as I do you could snag all these functions  from reliable sources using the terminal window. And if you have to use a clickable ling to get this OS, it’s fake.

    Every Ubuntu user knows you can’t click for the cool stuff. Terminal only. 

    1. Some of these tools are already  in the Ubuntu repos and/or PPAs, meaning you don’t need the terminal.  Ubuntu Software Center or Synaptic would work fine.

      Of course, you will need the terminal to use some of the apps but that’s a different story.  Hacking tools ain’t for noobs.

  9. Is it wrong to root against the script kiddies?  Not that Im some 1337 haxor, but come on.   

    1. With a however many million Anon, there’s bound to be a few thousand naive followers that’ll check it out.

  10. this is the sort of thing which might be fun to run on a neighbors network with a packet sniffer and just let it cook for a while.
    Really, it’s just about trust. FOSS is safer (i’d say) simply because there’s more eyes on the code. these allegations can be brought and they’ll be proven or thrown out. We have no such safety with a microsoft, apple (or google) product.

  11. What’s this file /etc/kernel/fbi/gonna/nail/yer/ass.ha_ha_ha?

    Never mind.  I’m sure it’s nothing.

Comments are closed.