Spamhaus Under DDoS Over Wikileaks.info

achowe writes "Steve Linford of Spamhaus sent this to a private anti-spam list and asked that the message get out far and wide: 'For speaking out about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. As our site cannot be reached now [actually sporadic], we can not continue to warn Wikileaks users not to load things from the Heihachi IP. ... AnonOps did not like our article update, here is what we said and what brought the ddos on us.'" At the conclusion of this message: "Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We’re not saying 'don’t go to Wikileaks' we’re saying 'Use the wikileaks.ch server instead.'" Here is Spamhaus's full warning.

Re:AnonOps part of the problem, not the solution

[openfrog]

I'm beginning to wonder if AnonOps/Anonymous is a false flag operation [wikipedia.org]. They seem to be doing more harm than help to Wikileaks. Their targeting is inept (they previously targeted the wrong DNS provider), their timing is inept, and Wikileaks doesn't need them to stay on line.

At last, this is coming out! I've been repeating this obvious thing on every Anonymous story that Slashdot has echoed out until now: we have no idea who is behind so called "Anonymous". A naive teenager is arrested from time to time to give credence to the myth that the Web is under the threat of unruly teenagers, opening the door to repressive legislation.

Now with this, we are beginning to get to hard facts, which should help us awaken our traditional media journalist friends: press, TV, radio. Congratulation for coming up with the term AnonOps. It tells the whole story in a nutshell.

Spamhaus announcement

[pinkushun]

In the case of it getting /.'ed or DOS'd (like TFA link to nanozen.info)

Wikileaks Mirror Malware Warning
2010-12-14 17:00 GMT, by Quentin Jenkins

On Monday Spamhaus became aware that the main Wikileaks website, wikileaks.org, was redirecting web traffic to a 3rd party mirror site, mirror.wikileaks.info. This new web site is hosted in a very dangerous "neighborhood", Webalta's 92.241.160.0/19 IP address space, a "blackhat" network which Spamhaus believes caters primarily to, or is under the control of, Russian cybercriminals.

Important: this warning is issued only for wikileaks.INFO, NOT Wikileaks itself or any other Wikileaks site. Wikileaks.info is NOT connected with Julian Assange or the Wikileaks organization. For a list of real Wikileaks mirror sites please go to wikileaks.ch

The Webalta 92.241.160.0/19 netblock has been listed on the Spamhaus Block List (SBL) since October 2008. Spamhaus regards the Russian Webalta host (also known as Wahome) as being "blackhat" - a known cybercrime host from whose IP space Spamhaus only sees malware/virus hosting, botnet C&Cs, phishing and other cybercriminal activities. These include routing traffic for Russian cybercriminals who use malware to infect the computers of thousands of Russian citizens.

The fact that recently some unknown person or persons decided to put a Wikileaks mirror on Webalta IP address 92.241.190.202 should raise an alarm; how was it placed there and by whom. Our concern is that any Wikileaks archive posted on a site that is hosted in Webalta space might be infected with malware. Since the main wikileaks.org website now transparently redirects visitors to mirror.wikileaks.info and thus directly into Webalta's controlled IP address space, there is substantial risk that any malware infection would spread widely.

Spamhaus also notes that the DNS for wikileaks.info is controlled by Webalta's even more blackhat webhosting reseller "heihachi.net", as evidenced by the DNS records for the domain:

wikileaks.info. 14400 IN A 92.241.190.202
wikileaks.info. 14400 IN NS ns2.heihachi.net.
wikileaks.info. 14400 IN NS ns1.heihachi.net.

Spamhaus has for over a year regarded Heihachi as an outfit run 'by criminals for criminals' in the same mould as the criminal Estdomains. The Panama-registered but Russian/German-run heihachi.net is highly involved in botnet command and control and the hosting of Russian cybercrime.

We also note that the content at mirror.wikileaks.info is rather unlike what's at the real Wikileaks mirrors which suggests that the wikileaks.info site may not be under the control of Wikileaks itself, but rather some other group. You can find the real site at wikileaks.ch, wikileaks.is, wikileaks.nl, and many other mirror sites around the world.

Spamhaus takes no political stand on the Wikileaks affair. We do have an interest in preventing spam and related types of internet abuse however and hope that the Wikileaks staff will quickly address the hosting issue to remove the possibility of cybercriminals using Wikileaks traffic for illicit purposes.

More information on the SBL listing of Webalta's 92.241.160.0/19 is here:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL68370 [spamhaus.org]

Spamhaus is not alone in issuing this Wikileaks mirror malware caution. On Sunday researcher Feike Hacquebord at fellow anti-spam system Trend Micro issued a similar warning in the Trend Micro Malware Blog. (http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/)

Re:As if a DDoS wasn't enough...

[PatPending]

Was it really a good idea to post that link on slashdot - to a DDoS:ed site?

In general, no. However in this case, it is worth noting [spamhaus.org] this:

Spamhaus is currently under a 2.1Gbps DDOS attack which began at 05:20 CET. As we are used to DDOS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.

Re:AnonOps part of the problem, not the solution

[PatPending]

Seriously, Spamhaus is under DDoS and we slashdot it too?

Take a chill pill, bro, please: it is worth noting [spamhaus.org] this:

Spamhaus is currently under a 2.1Gbps DDOS attack which began at 05:20 CET. As we are used to DDOS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.

Spamhaus jumping to conclusions?

[leromarinvit]

Spamhaus seems to be pretty quick in assuming that wikileaks.info is malicious.

Apparently the site is hosted by a Russian company known to host malware and phishing sites. But how does this prove anything? They might as well be ordinary customers of a webhoster who doesn't take sites down easily.

Somebody who won't take malware sites down probably won't bow to political pressure to take down a Wikileaks mirror - or so they hope. "Outlaws" of whatever kind have a very reasonable interest in common: to evade prosecution and punishment. Whether you're stealing credit card numbers or publishing government/corporate secrets doesn't matter in this context.

ok well lets take a wikieak here + have a look

[bpsheen]

Screw all this talk, lets look at the page source code and go from there. I booted Knoppix, and pulled up Iceweasel and copy and pasted the page source from wikileaks.info. My html and Javascript skills are not the sharpest. My skills are best in other areas. However, I noticed there is too much talk and not enough transparency here so I posted the page source so hopefully someone would analyze it and talk about the contents rather than jumping on sides of the arguments like some deranged trolls. Lets have a discussion that not owned by a bunch of drama queens, True geeks work with logic, not Drama. End of anti-troll rant.. Heres the pastebin link. http://pastebin.com/dyMkdZEG [pastebin.com]

Don't underestimate the tards

[box2]

It seems much more plausible that either this wikileaks.info related cybergang is performing the DDoS themselves, stirring up other communities to perform DDoS, or both. I have no experience with this AnonOps group, but I have spent a lot of time looking at *chan culture. As haphazard as a collection of 'anonymous' users generally is, they do not actually get to the point of performing an attack against something without hearing many sides to the story. That is one of the benefits of having so many individuals actively involved rather than an army unthinking zombie computers.

For example, given enough .jpg's, between their collective experience they can collate enough data to link seemingly completely unrelated photos to the same household or person. I have seen this happen over the course of a few threads and the experience was like watching a higher consciousness at work. It totally blew me away.

They will have people who actually do look at what is specifically being blocked by Spamhaus, why, and verify the authenticity of said claims. When you have threads of people calling for destruction it may be hard to turn away the mod mentality, but when people start posting clear facts it can and will do so, leading to the impending attack falling apart before it reaches critical mass.

I don't know much about this AnonOps group as of now, but if they are made up of enough individuals even this article will definitely reach them. As to if they will care, depends what their real goal is I suppose.

Re:AnonOps part of the problem, not the solution

[PeterBrett]

The Pirate Parties provide and administrate the wikileaks.ch network (note that the same network serves wikileaks.de and wikileaks.lu). Understandably, we all feel very strongly about the importance of whistleblowing and freedom of the press. I personally will vouch for those servers' integrity at this time. Specifically, Pirate Party members in the UK, Holland, Germany, Russia, Switzerland, Luxembourg and the Czech Republic have all donated servers.

I'm sorry that these servers are not currently available over SSL. As I understand it, some of these servers are hosted on IP addresses shared with other websites, and apparently this setup is incompatible with SSL. In addition, we have not yet identified a signing authority that we feel confident that would be resistant to coercion and subornation by agencies looking to discredit or manipulate Wikileaks. (Got a suggestion? Reply to this post!)

I'll re-raise the issue with the PPI organising committee, and see whether we can organise something. ;-)

I'm afraid that I can't speak for any of the Wikileaks-specific issues, such as document submission or the status of the wikileaks.org domain.

Re:Wikileaks.info response posted

[dbreeze]

http://www.spamhaus.org/news.lasso?article=665 [spamhaus.org]

Update 15 December

In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus's information on his infamous cybercrime host "false" and "none of {your} business" and called on people to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never did) and others claiming we are "a pawn of US Government Agencies".

None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.

Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at wikileaks.ch.

Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian and German malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it.

Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server instead".

Update 18 December

A DDOS attack was launched on www.spamhaus.org today in retaliation for us warning Internet users about the Russian-German cyber criminals behind the Wikileaks mirror wikileaks.info.

Spamhaus is currently under a 2.1Gbps DDOS attack which began at 05:20 CET. As we are used to DDOS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.

By no coincidence, the 'AnonOps' DDOS group irc.anonops.net is also hosted by the same Heihachi Russian-German cybercrime gang in the same CIDR as wikileaks.info:

wikileaks.info = 92.241.190.202
irc.anonops.net = 92.241.190.94

In addition to the LOIC and *OIC tools issued to dimwitted script kiddies to DDOS "enemies of Anon" with, AnonOps appears to be now escalating its DDOS attacks using dedicated criminal botnets (botnets of illegally hijacked PCs), and now appears to be directing DDOS attacks not at "enemies of Wikileaks" but at "enemies of our criminal bosses".

There is palpable irony in a DDOS being used to prevent exposure of a probably-false Wikileaks mirror that could potentially harm Wikileaks and Wikileaks readers. We hope that AnonOps supporters appreciate the irony as much as we do.

Re:AnonOps part of the problem, not the solution

[Anthony Mouse]

So I'm going to post this near the beginning of the thread since the OP is correct but confusing and the signal to noise ratio in the comments is terrible. It appears the general consensus is this:

1) Russian criminals have control over the wikileaks.org and wikileaks.info domains and are distributing malware. The current real wikileaks website is wikileaks.ch.

2) Spamhaus has been telling people about (1).

3) The Russian criminals are now retaliating by using their botnets to DDoS Spamhaus under the flag of AnonOps.

4) Some of the people who call themselves Anonymous may or may not also be participating in the DDoS against Spamhaus because they are idiots.

Time for you to "eat your words", too, Too, TOO EZ

[Anonymous Coward]

"Yeah, you know who ALWAYS has access to it? THE SYSTEM. And hey, guess how the bugs drop their payload in your system folder? Why with system rights of course! Dumbass." - by hairyfeet (841228) on Sunday December 19, @10:53PM (#34612590)

See subject, & this testimonial from others here using HOSTS files, especially vs. VIRUSES (which you noted):

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

FROM http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532122 [slashdot.org]

---

Seeing as that is the case with he, and myself (I can produce other such quotes also for you, just ask (& since 1995, I haven't gotten a virus/malware/trojan/worm etc. in fact))?

IF I DON'T GET VIRUSES, THEN HOW ON EARTH WILL YOUR "VIRUS THEORY" TAKE HOLD HERE, IF I DO NOT GET MALWARE INFESTATIONS @ ALL?

Plus, even IF my HOSTS file was somehow "compromised" (like if someone physically had access to my system)? I update it daily anyhow... & I do have backups (like anyone should of their critical data).

OH, lastly - Anymore names you want to toss, Mr. "ITT TECH"?? Right about now, you are doing what the other guy said:

YOU HAVE TO EAT YOUR WORDS!

(Especially the names you tossed my way, lol... who's the "dumbass" now? Not I... Ah, too, Too, TOO EASY! Just TOO EZ...)

APK

P.S.=> The other fellow you replied to isn't myself, but he's on the right track (except you have to do a LITTLE MORE than just rely in ACL/MAC usage, due to SOME malware (rare though, thank goodness) like rootkits being able to subvert the OS, or, run via system level impersonation): You additionally HAVE to scan from external system setups to see if you are infested OR NOT, for sure (2nd disk w/ OS setup & antivirus/antispyware (multiple ones) updated to current signatures, for scanning your "REAL" system you use daily)... apk