--------------------------------------------------------- Updates and analysis in the last 24 Hours - 01/25/2011 --------------------------------------------------------- • More hacker tools are being used in operational documents showing that hacking/defacements, online protests (DDOS), and propaganda campaigns appear to now be the norm. • This has shown up in attacks against US based targets (www.nsa.gov), Egyption Targerts, Algeria, and Tunisian targets. • More discussion of utilizing the tool 'pyloris'. • We have discovered that two operators 'Sabu' and 'Murder' have advanded denial of service tools at their disposal. Yesterday morning they spoke of this tool and we are led to believe used it to test attacks against www.nsa.gov temporarily taking the site down. 3AM-5AM CST. 01/24/11 The tool in use is referred to as 'g3m' , 'geminid I', 'geminid II', authored by 'live' (not apart of AnonOps). This tool can generate up to 180g/sec running from a single host. The tool supports both IPV4 and IPV6 attack capabilities. We believe this is a credible threat , and have recovered portions of source code and have been working with law enforcement to obtain evidence from compromised computers (compromised of computers @ jpl.nasa.gov, mit.edu ) that had been mentioned as to having this tool in use by the user 'murder'. Both users 'Murder' and 'Sabu' appear to be the most sophisticated users who have conversed in AnonOps channels since we have started monitoring their actions. Both users have extensive knowledge of the underground, both are engage in compromising high value targets (mit.edu, hosts at jpl.nasa.gov), and both are believed to have been in the blackhat scene since at least 1998. At one point when discussing the tool 'g3m' the user 'Murder' queried 'Sabu' as to where he acquired this tool and reminded him that it was not allowed to speak of this tool in public forums. 'Sabu' , responded by stating that he had to compromise another user on EFNET (IRC Chat Server), to acquire the tool since it was so private. Sabu only had the binary version, while 'Murder' had the updated source code and binary. 'Murder' - is believed to be based in Brazil and has a botnet of 700 servers. 'Sabu' - could be be based out of a Caribbean island, but it is unknown at this time. • Discussion of how the Rothschilds family owns the banks, and the banks own society occured within the opTunisian room in the last 24/hours. ( This is notable only to show the distrust of financial institutions . ) • Project owners for 'Operation Swift Assist' (A branch from Operation Tunisia) is run by: • U.S. Barrett Brown - barriticus@gmail.com • Germany Netzblockierer - Netzblockierer@privatedemail.net • http://typewith.me/owA6rmGfP6 • Operation Egypt will gain traction today since January 25th has been declared national 'protest day' for Egyptians. Current Attacks / Operations --------------------------------------- • Operation Algeria • Successful attacks • www.cnrc.org.dz - DDOS'd • http://www.interieur.gov.dz - continues to be DDOS'd • ns1.nic.dz - DDOS'd • ns2.nic.dz - DDOS'd • gov.dz - DDOS'd • 192.228.79.201 / 192.5.5.241 / 192.58.128.30 - DDOS'd • www.rnd-dz.com - defaced. http://imagebin.org/133895 • Ongoing Targets • http://www.sonatrach-dz.com/ Oil company • http://www.airalgerie.dz/ Only Algerian flying company, some workers do propaganda against us and say we are CIA+ corrupt • http://www.bank-of-algeria.dz/ Bank of Algeria • http://www.societegenerale.dz/ societe general bank • http://www.sga.dz/agence.php societe general bank • http://www.mincommerce.gov.dz/ commerce ministery • http://www.pfln.dz/ FLN • http://www.hmsalgeria.net MSP • http://www.rnd-dz.com/ RND • http://www.premier-ministre.gov.dz The Governement • http://www.mjustice.dz/ (in)Justice Ministery • http://www.interieur.gov.dz Home Office Ministary • http://www.algerie-defense.org/ Algerian Defense • www.el-mouradia.dz • Mobile Phone Companies • http://www.mobilis.dz/ • http://www.nedjma.dz/extranet/web/accueil/accueil • http://www.djezzygsm.com/ • Operation Egypt • http://www.moiegypt.gov.eg/ (interior ministry - responsible for law enforcement) • http://www.moiegypt.gov.eg/arabic/default - Defacement operation. • http://www.mcit.gov.eg/ (info ministery) • http://www.tedata.net/web/eg/ar/ (large ISP in Egypt) (Complete Egypt Targets appended in attachment) • Operation Venezuela Attack Chatter -------------------- • Chatter about taking down the following sites/networks: • www.amazon.com • www.google • www.fbi.gov • www.whitehouse.gov • President of france www.elysee.fr • http://www.indect-project.eu/ • North african root domain name servers : 199.7.83.42 / 193.0.14.129 / 192.228.79.201 / 192.5.5.241 / 192.58.128.30 this would drop dns for most AfriNIC tlds • B.root-servers.net 192.228.79.201. Amigoshop.biz, inkjets5.net, root-servers.net, ebayinkstore.com, ae333.com • F.root-servers.net point to 192.5.5.241. In-addr.arpa, dvbtshop.be, root-servers.net and arpa use this as a name server • Alias `murder` discusses taking down the root name servers on 01/25/11 • Operation Palestine • Information on Operation still vague, but a response to Al Jazeera launching 'The Palestine Papers' • Operation Algeria • This operation persists, as well as an active propaganda campaign being pushed to Arab Social media outlets for this cause. • Directed Fax attacks continue through the night and early morning. • Operation Albania Predictions for Next 24, 48, 72 Hours --------------------------------------------------- • Though the taking down the root name servers with the tool Geminid was discussed we don't know how serious these threats are and are conservatively putting them in a low/semi medium threat level. • Operation Italy will begin the proposed targets include: • agcom.it • siae.it • governo.it • vatican.va • Operation Tunisia will persist. • Operation Algeria is taking off. Fax attacks, denial of service attacks, and defacements will persist. • Operation Egypt will be reported today since January 25th has been declared the 'national protest day in Egypt'. New Tool Changes --------------------------- N/A New Attack Tools ------------------------ • g3m/Geminid I - Tool not Acquired • g3m/Geminid II - Tool not Acquired • udp6.pl - Tool not Acquired • Pyloris - Tool acquired, signatures will be released today. • vbLOIC - Tool mentioned, but hasn't been released. New Attack Detection ----------------------------- • PyLoris signatures to detect this tool will be released later today.