The LulzSec Hacks: How they did them

The LulzSec Hacks: How they did them

Much has been made of LulzSec's use of blunt-force, simple hacking tools like SQL injections and DDoS attacks to carry out their 50 days of Internet mayhem —enough for critics to label the hacktivist group mere "script kiddies"—but a new report from IT security firm Imperva indicates that the Lulz Boat crew had other weapons at its disposal.

"LulzSec was a team of hackers focused on breaking applications and databases. There were no virus or malware experts," an Imperva spokesperson told PCMag this week, ahead of the company's release of its analysis of leaked LulzSec Internet relay chat (IRC) logs published and pored over by the Guardian's Charles Arthur, Ryan Gallagher, and Josh Halliday last week.

The hactivist group, which publicly closed up shop last Saturday, was reportedly comprised of about six core members who came from the AnonOps wing of the online Anonymous collective and the more tightly knit hacking group gn0sis, which emerged with hacks of Gawker.com and HBGary Federal earlier this year.

According to Imperva, LulzSec had three primary attack vectors it used, likely deploying prepackaged penetration tools rather than custom code, in addition to the powerful botnet belonging to member "Kayla" used to deploy penetration tools and take down targeted websites with distributed denial-of-service (DDoS) attacks.

And Kayla's botnet really is/was massive, Imperva's director of security strategy Rob Rachwald believes.

"The [chat log] line, '8,000 RFI with usp flooder' tells you that 'lol' [an alternate IRC handle used by Kayla] had 8,000 infected servers, not PCs, to conduct the DDoS attacks," he said.

"That's pretty sizable. How much so? In our webinar on DDoS 2.0, we estimated that one infected server is equal to 3,000 bot-infected PCs, so 8,000 servers would be like 2.5 million PCs."

In one exchange on the leaked chat, Kayla refers to taking down "enturbulation.org, whyweprotest, anonnet" with an 8,000-server botnet that "hit ports at random."

As for its attack vectors, LulzSec has publicly admitted to breaking into systems using SQL injections to exploit database-layer weaknesses, which Rachwald describes as "the biggest vulnerability in the history of mankind that is the cause of millions of lost data records."

But less attention has been paid to LulzSec's probable use of Cross-Site Scripting (XSS) and Remote File Include (RFI) attacks, according to Rachwald.

Going by the leaked chat logs, LulzSec appears to have used an XSS attack—"the second biggest vulnerability in the history of mankind," according to Imperva—to hack Fox.com. In a May 31 IRC log, a participant with a redacted handle (possibly "m_nerva," reportedly the leaker of the log itself) refers to "XSS in billoreilly lol."

UPDATE: The similarity between the name of security firm Imperva and alleged chat log leaker m_nerva is striking. We asked an Imperva representative Wednesday afternoon if there is a connection, and await a reply.

UPDATE II: No connection, just a coincidence, an Imperva spokesperson assures us.

In a later chat on June 4, LulzSec founders "Topiary" and "tflow" credit a fringe figure called "trollpoll" with orchestrating the Fox.com intrusion:

Jun 04 08:29:28 tflow yeah but props to trollpoll for exploiting that fox.com hole

Jun 04 08:29:30 trollpoll it makes sense

Jun 04 08:29:34 Topiary oh definitely yeah

Jun 04 08:29:41 Topiary we have trollpoll to thank for the first hit

Jun 04 08:29:49 Topiary very good sh**

Jun 04 08:30:05 trollpoll not all mine…

Jun 04 08:30:14 Topiary word is that you exploited it up nicely

It seems possible that trollpoll is an alternate handle for m_nerva. If so, "that fox.com hole" and "XSS in billoreilly" would be references to the same vulnerability and penetration method used to secure one of LulzSec's earliest victories. Of course, Topiary and other LulzSec members constantly discuss spoofing IRCs with fake handles and discussions, so this may not be the case.

LulzSec also conducted RFI attacks pushed out by Kayla/lol's server bots to take down the CIA's public website on June 15 in addition to other site takedowns, according to Imperva. The "key snippet" identified by the security firm in the leaked chat logs:

Jun 01 05:51:25 lol storm would you also like the RFI/LFI bot with google bypass i was talking about while i have this plugged in?

(As a side note, "storm" may be an alternate handle for "Laurelai"—an alleged gn0sis member and HBGary hacker. In an interview with Gawker, 29-year-old Laurelai Bailey said her Iowa home was raided last week by FBI agents looking for dirt on hackers with whom Bailey had been associating. The agents were reportedly looking into the February cyber attack on HBGary Federal allegedly carried out by AnonOps and gn0sis members.)

RFI "attacks have the potential to cause as much damage as the more popular SQL injection and XSS attacks," according to Rachwald, who pointed out that RFI is "not widely discussed" in security circles.

"In other words, LulzSec used an often overlooked vulnerability to help ambush their targets. An RFI attack inserts some nasty code into a Web application server. What does the code do? Usually, RFI is used to take over the Web application and steal data. In the case of LulzSec, they used it to conduct DDoS attacks."

Chloe Albanesius contributed to this report.

Copyright © 2010 Ziff Davis Publishing Holdings Inc.

Damon Poeter
Digit.in
Logo
Digit.in
Logo