Foot Soldiers for Wikileaks: 27,000 Download Attack Software Overnight

An inside look at the anatomy of the pro-WikiLeaks hack attack.

December 9, 2010, 2:55 PM

Dec. 10, 2010— -- Downloads of the software program used by Wikileaks supporters to launch cyberattacks online spiked overnight, topping more than 43,000 downloads in the past week, according to the U.S. data security company Imperva.

While impossible to know whether all the computer users had joined the ongoing "cyberwar" against U.S. companies that severed ties to Wikileaks, the data suggest a growing number of people are answering the call to arms put out by a scrappy, decentralized coalition of WikiLeaks defenders that calls itself Anonymous.

There were 700 worldwide downloads of the widely available software, Low Orbit Ion Cannon, or LOIC, Monday, with more than 27,000 downloads occurring Thursday, according to Imperva web security researcher Tal Beery.

Over the past few days, members of Anonymous have bombarded corporate websites for MasterCard, Visa and Paypal, disrupting their normal operations. There are also signs that it was behind attacks on Swedish government websites and those tied to Sarah Palin and Sen. Joe Lieberman.

How'd they do it? The technology behind Operation Payback is surprisingly simple, cybersecurity experts say.

The massive hack attack appears to have been orchestrated by a handful of organizers with control over a virtual army of tens of thousands of computers. The networks -- called botnets -- can inundate their targets with denial of service attacks, so overwhelming a site's server that regular customers can't get through.

Security experts reached by ABC News estimated that several thousand computer users have voluntarily dedicated their machines to the campaign, downloading attack software, installing it on their computers and connecting to a central server called a HiveMind.

Anonymous has posted online step-by-step instructions for download, telling participants that after installing the software they simply "sit back and enjoy!"

Then, HiveMind masterminds input the IP address of their desired target, and all the affiliated computers running the special software begin to bombard the site.

"Remember: current target is, port 443. We are currently FIRING!" one of the HiveMind organizers posted under the Twitter handle AnonOpsNet late Thursday.

The software, a simple Windows application called Low Orbit Ion Cannon, or LOIC, was developed decades ago to test the ability of a website to handle traffic. Because it's open source, meaning its code is publicly available, it is also easily shared and manipulated.

"This program just goes and grabs data on the target website at a high rate, in effect having no pause in your viewing of a webpage," said Barrett Lyon, an Internet security expert who created the first denial of service defense company in 2004 and has analyzed the ongoing cyberwar. "It's basically just blasting the website using all the resources of the user."

But the attacks don't appear to be meant to do more than create a show, Lyon said, noting the hackers don't seem to be seeking confidential company or consumer information, such as credit card account numbers.

In their manifesto posted online Thursday, Anonymous said it did not intend to attack the "critical infrastructure" of sites like Visa and MasterCard but instead to disrupt their corporate websites. "Anonymous does not seek to disturb the public peace nor the average internet citizen; for average internet citizens are most of us who are Anonymous," the statement says.

WikiLeaks' founder, Julian Assange, has vehemently denied directing these attacks in any way. His lawyer told ABC News' Jim Sciutto, "Wikileaks is not in the business of revenge."

Only 800 Computers to Take Down MasterCard

An Australian man who claims to be one of the organizers running the HiveMind told the Sydney Morning Herald it took only 800 computers to take down MasterCard, and 1,000 to take down Visa.

But some security experts say the effort is almost certainly aided by collections of tens of thousands of other computers, involuntarily and unknowingly participating in the campaign at the direction of a master computer.

"The truth is the actual attack is not coming from those few individuals," said Peter Schlampp, a cybersecurity expert with Solera Networks. "They're commanding an extremely broad network of ... computers being controlled by whatever the puppetmaster wants them to do."

These secret networks -- the botnets -- are common and are often amassed through viruses and worms without a computer user even knowing it.

"The infected computers can be told remotely to go do something: Send out spam, send out bad traffic. They can even be told to attack the Pentagon and steal data. They're robots," said Alan Paller, director of research at SANS Institute for Computer Security and Training.

Paller said there are millions of computers available to would-be cyberattackers via botnets, making it difficult for law enforcement agencies to root out the threat completely. But, he added, officials can often track down individuals behind the botnet controls.

Dutch National Police arrested a 16-year-old boy Wednesday in connection with the hack attacks, a spokesperson for the Dutch National Prosecutors Office told ABC News. The teen, he said, had confessed to involvement in the attacks on MasterCard's and Visa's websites.

But the botnets live on.

"Botnets wax and wane over time, but don't go away," said Schampp. "The only way to kill a botnet is for all the PCs to have updated antivirus and antimalware software, or to shut down the computers."

In the current battle, Paller said, resolution may more likely come through more cyberattacks -- from the other side.

"What will happen is that there are enough angry people on the side that doesn't like what Wikileaks did that are going to be vigilantes too. That's already started," he said. "They're attacking back."

ABC News' Zunaira Zaki and Jim Sciutto contributed to this story.