Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Inside The LOIC: Anonymous Is Still Using It?

with one comment

A source has sent in some information on the DoS attacks ongoing at Sony and I have to say I was surprised that the anon’s are still using the LOIC. Unless that is, there have been upgrades made? Does the LOIC now in fact obfuscate IP addresses? Meh, dropping Sony for their douchery is negligible in my book but, there is some interesting information in the data sent.

Such as a server called: staff.anonops.ru vlad.anonops.ru Really? Staff? For a headless org, you have a staff server per its naming convention?

//DATA

”LOIC utilizes the following commands for AnonOps and this is how I did it:”
sh# telnet loic.anonops.ru 6667 <– Open connection

Trying 92.241.162.211…

Connected to loic.anonops.ru.

Escape character is ‘^]’.

:vlad.anonops.ru NOTICE AUTH :*** Looking up your hostname…

:vlad.anonops.ru NOTICE AUTH :*** Found your hostname

NICK LOIC_JDOFOO <– Send Nickname Command

PING :BFCA576C <– Server sends a ping

PONG :BFCA576C <– Respond with exact sequence or it logs you off

USER IRCLOIC bleep blah :IRC NewFag Bitches <– Send usercommand with password, blah, and User Info

:vlad.anonops.ru 001 LOIC_JDOFOO :Welcome to the AnonOps IRC Network LOIC_JDOFOO!IRCLOIC@whiterabbitobject

:vlad.anonops.ru 002 LOIC_JDOFOO :Your host is vlad.anonops.ru, running version Unreal3.2.8.1

:vlad.anonops.ru 003 LOIC_JDOFOO :This server was created Tue Jan 18 2011 at 19:28:18 UTC

:vlad.anonops.ru 004 LOIC_JDOFOO vlad.anonops.ru Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj

:vlad.anonops.ru 005 LOIC_JDOFOO UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=51 CHANLIMIT=#:51 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server

:vlad.anonops.ru 005 LOIC_JDOFOO WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=AnonOps CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server

:vlad.anonops.ru 005 LOIC_JDOFOO EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server

:vlad.anonops.ru 481 LOIC_JDOFOO :Permission Denied- You do not have the correct IRC operator privileges

:vlad.anonops.ru 375 LOIC_JDOFOO :- vlad.anonops.ru Message of the Day –

:vlad.anonops.ru 372 LOIC_JDOFOO :- 18/1/2011 19:28

:vlad.anonops.ru 372 LOIC_JDOFOO :-🙂

:vlad.anonops.ru 376 LOIC_JDOFOO :End of /MOTD command.

:LOIC_JDOFOO MODE LOIC_JDOFOO :+iwx

:Global!Service@AnonOps.net NOTICE LOIC_JDOFOO :[Logon News – Feb 16 2011] Please do not silence the media, it does no good and prevents free speech. Thank you.

:Global!Service@AnonOps.net NOTICE LOIC_JDOFOO :[Logon News – Mar 30 2011] Network help: #help | Nick registration: /msg nickserv register [password] [email] | Channel registration: /msg chanserv register [#channel] [password] [description] | Other help: /msg helpserv help

:Global!Service@AnonOps.net NOTICE LOIC_JDOFOO :[Random News – Mar 03 2011] this just in: iowa’s cock is the size of a horses. /breakingnews
JOIN #loic <– Make it join the channel (if you dont do appropriate sequences, channel will be invite only)

:LOIC_JDOFOO!IRCLOIC@whiterabbitobject JOIN :#loic

:vlad.anonops.ru 332 LOIC_JDOFOO #loic :!lazor default targethost=store.playstation.com port=80 message=Payback_is_a_frak,_isn’t_it? method=tcp speed=4 threads=20 wait=false random=true checked=false start

:vlad.anonops.ru 333 LOIC_JDOFOO #loic tflow 1302037670

:vlad.anonops.ru 353 LOIC_JDOFOO @ #loic :LOIC_JDOFOO &Wolfy @Sean &LOIC_UIRXWT &tflow

:vlad.anonops.ru 366 LOIC_JDOFOO #loic :End of /NAMES list.

WHO #loic <– List channel users:

:vlad.anonops.ru 352 LOIC_JDOFOO #loic IRCLOIC An-E075F605 vlad.anonops.ru LOIC_JDOFOO H :0 IRC NewFag Bitches

:vlad.anonops.ru 352 LOIC_JDOFOO #loic Howling the.moon.tonight tiny.anonops.in Wolfy Hr& :2 Wolfy Ragnarok

:vlad.anonops.ru 352 LOIC_JDOFOO #loic IRCLOIC an-E23BCDH1.anonops.net hidden LOIC_UIRXWT H& :0 Newfag’s remote loic

:vlad.anonops.ru 352 LOIC_JDOFOO #loic tflow staff.anonops.ru vlad.anonops.ru tflow Hr*& :0 Sejus Christ

:vlad.anonops.ru 315 LOIC_JDOFOO #loic :End of /WHO list.

:vlad.anonops.ru 352 LOIC_WMGVIJ #loic owen loves.isis tranquility.anonops.net owen Hr@ :1 owen

:vlad.anonops.ru 352 LOIC_WMGVIJ #loic ni staff.anonops.ru vlad.anonops.ru Ryan Hr*@ :0 ni

:vlad.anonops.ru 352 LOIC_WMGVIJ #loic evilworks evil.machine doom.anonops.ru wowelrisk Hr& :2 Jesus H. Christ

:vlad.anonops.ru 352 LOIC_WMGVIJ #loic MM an-544B51BC.bb.sky.com belldandy.anonops.ru MM Gr*@ :2 …

:vlad.anonops.ru 352 LOIC_WMGVIJ #loic tflow staff.anonops.ru vlad.anonops.ru tflow Gr*& :0 Sejus Christ

:vlad.anonops.ru 352 LOIC_WMGVIJ #loic IRCLOIC an-E23BCDH1.anonops.net hidden LOIC_UIRXWT H& :0 Newfag’s remote loic

:vlad.anonops.ru 315 LOIC_WMGVIJ #loic :End of /WHO list.

//END

Now, if I were looking to make life painful for Anonymous, I might go blackhat against a server like the afore mentioned staff server. There might be some tasty information there… Just an OPSEC observation there kids… But that’s just me.. Others might actually do it, ya know, like those companies and agencies out there you are pissing off?

On the other hand, what if one were to re-engineer the LOIC to reverse the exploit so to speak and actually inhibit the servers? After all, the genesis of the LOIC and some of the code here seems to come from an early IRC DoS exploit based on obstruct.c right? The mind wanders at the potential of re-engineering that could be made… And, as I remember it, a certain j35t3r already got his hands on the code before and backdoor’d it.. Well as the story goes. So, how long till someone comes along who wants to go against the flow and messes with the LOIC?

Kids, I think its time you found another product…

Meanwhile, Wolfy, dude,  your data is hanging out all over the place. Quite the Xbox freak aren’t you?

If I were you, I would perhaps ease up on the activities because yet again, the data that Backtrace has offered up seems to be correct. Oh, and way to go having your page carry the anon aphorism.. Do you want to be caught?

PS.. Re-using that nick has now gotten it to the point that your IP address can be found here 174-49-41-193.hsd1.tn.comcast.net

Sure, its perhaps a dhcp address, but now its easy enough to link your name to an account at Comcast in Tennessee huh?

Anyway….

To LOIC or Not To LOIC… I still say not.

More interesting times ahead.

K.

Written by Krypt3ia

2011/04/07 at 15:49

One Response

Subscribe to comments with RSS.

  1. An impressive share! I have just forwarded this onto a colleague who had been conducting
    a little research on this. And he in fact bought me
    lunch due to the fact that I discovered it for him… lol.
    So let me reword this…. Thanks for the meal!! But yeah, thanx for spending some
    time to talk about this matter here on your
    blog.

    Michael Anthony

    2012/08/20 at 20:49


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: