Subscribe

Biz & IT —

Lame hacker tool or trojan delivery device? Hands on with Anonymous-OS

Pulled down by Sourceforge almost as quickly as it was started, the Anonymous- …

-

The Anonymous-OS
The Anonymous-OS "live" startup.
Photograph by Sean Gallagher

On March 13, an anonymous benefactor announced the availability of Anonymous-OS, a new live-bootable Linux distribution tailored for a... particular class of user. The package was posted on Sourceforge and downloaded over 20,000 times before it was taken down by the service on March 15

Some in Anonymous had cautioned that it might be some sort of trap; others claimed it was in fact a clever socially engineered package of malware waiting to spring on whoever had the audacity to download it.

I had the audacity to download it just before Sourceforge shut the project down, loading it up on a virtual machine and installing it to a bootable USB. And honestly, there's not a whole lot to get excited about—Anonymous-OS is nothing more than a snapshot of a system running Ubuntu 11.10 with a few minor tweaks, redistributed as a live-boot ISO, and packaged with the usual collection of "educational" security tools (some of which may in fact expose you to law enforcement attention).

Sourceforge's move to take down the project had more to do with the shady way in which it was posted than its content. The Sourceforge community team looked at the project, and found it was "a security-related operating system, with, perhaps, an attack-oriented emphasis," the company said in its statement. But they found no evidence it was in any way connected to Anonymous, concluding that the person or persons behind the project were in fact using the name of the group to draw attention.

"By taking an intentionally misleading name, this project has attempted to capitalize on the press surrounding a well-known movement in order to push downloads of a project that is less than a week old," Sourceforge's spokesperson said in the company statement. "We have therefore decided to take this download offline and suspend this project until we have more information that might lead us to think differently. We’ll be in touch with the project admin, and let you know if and when we find out anything to contrary, but for now, that’s what we’re doing."

What's in the package

Nobody in the security realm is going to shed any tears over the suspension of the Sourceforge project. It is, at best, a poor substitute for other freely available distributions of Linux tailored to security tasks—most notably Backtrack Linux, an Ubuntu-based distribution that comes configured with a much broader selection of penetration testing, hacking, and "stress testing" tools. While I didn't find any evidence of trojans or rootkits while traipsing through its internals (and WireShark records of its network traffic), it's probably most useful as a snapshot of what overeager Anon wannabes would run on the USB stick they keep hidden under their pillow.

Before installing Anonymous-OS, I poked around the contents of its DVD image and found that it was created using Remastersys, a tool that creates a full-system backup of Debian and Ubuntu based operating system installs up to 4GB in size and turns them into bootable DVD images. There's no way to actually install the image onto a system; however, you could waste your time like I did and use UNetbootin to create a bootable USB version of the image.

Once you get past the Ubuntu 11.10 startup, the Anonymous-OS package throws up this lovely customized login screen. The password for the anonymous admin account, in case you were wondering, is anon. The project team posted that on their site as an MD5 hash for eager downloaders to crack.
Once you get past the Ubuntu 11.10 startup, the Anonymous-OS package throws up this lovely customized login screen. The password for the anonymous admin account, in case you were wondering, is anon. The project team posted that on their site as an MD5 hash for eager downloaders to crack.
Sean Gallagher

When you get past the login, and the introductory music (pulled from Anonymous' video pronouncements), you're greeted with this popup, letting you know that the tools in this package are for "educational purposes only."
When you get past the login, and the introductory music (pulled from Anonymous' video pronouncements), you're greeted with this popup, letting you know that the tools in this package are for "educational purposes only."
Sean Gallagher

A look through the processes running on the system, viewed as root. I checked the processes running and sniffed the network connection with WireShark to be sure there was no badness at work, and found nothing overly concerning. The rootkit tools rkhunter and chkrootkit also came up empty.
A look through the processes running on the system, viewed as root. I checked the processes running and sniffed the network connection with WireShark to be sure there was no badness at work, and found nothing overly concerning. The rootkit tools rkhunter and chkrootkit also came up empty.
Sean Gallagher

Update: I performed an integrity check on the Ubuntu components in Anonymous-OS using MD5 checksums. You can see the list of fails here. While most of them were a result of the mangling of the theme to make it look more Anonymous-y, there are a few items that might cause some concern, usr/sbin/anacron among them.

The hacking tools in the Anonymous-OS image include a hit parade of options, including the widely discredited LOIC, the HOIC tool, slow attack tools such as Slowloris and Pyloris, and a collection of SQL Injection tools.
The hacking tools in the Anonymous-OS image include a hit parade of options, including the widely discredited LOIC, the HOIC tool, slow attack tools such as Slowloris and Pyloris, and a collection of SQL Injection tools.
Sean Gallagher

Some of the tools are of questionable value, and the attack tools might well be booby-trapped in some way. But I don't know how much more booby-trapped a tool can get than pointing authorities right back at your IP address as LOIC does without being modified.

Most of the stuff in the "Anonymous" menu here is widely available as open source or as Web-based tools—in fact, a number of the tools are just links to websites, such as the MD5 hash cracker MD5Crack Web. But it's clear there are a number of tools here that are in daily use by AnonOps and others, including the encryption tool they've taken to using for passing target information back and forth.

Other than the tools, there's nothing particularly different in Anonymous-OS from the usual poorly configured Ubuntu installation. There are a few surface changes, including a change in the system configuration that makes the OS version appear as Anonymous-OS in the Ubuntu System Monitor App. It's no wonder Anonymous members are calling this a fake—if it isn't, it's an embarrassment.

Listing image by Photograph by Sean Gallagher

Sean Gallagher Sean was previously Ars Technica's IT and National Security Editor, and is now a Principal Threat Researcher at SophosLabs. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.

Channel Ars Technica

Related Stories

    Today on Ars