"Anonymous" Linux sparks concerns
Anonymous vs. anonymous: a new Linux distribution targeted at hackers showed up on SourceForge yesterday, appearing to be from the Anonymous activist group. Anonymous-OS 0.1 ships with a number of hacker tools, including the ParolaPass password generator, the Anonymous High Orbit Ion Cannon (HOIC), TorsHammer for DoS attacks, John the Ripper and Hash Identifier for password attacks, and much more. SourceForge subsequently took the project down.
The 1.5GB Live Linux is a modified Ubuntu 11.10 Oneiric Ocelot that works with Mate Desktop instead of Unity and is packaged with many additional programs, especially hacker tools. Tor programs Vidalia, I2P and Polipo also help conceal users' tracks.
A quick look into the system's details shows that it seems to be based on a regular Ubuntu installation, with a number of backup files from editors and other "remains" as signs of the original system's installation. It does not look like a clean rebuild at all. Anonymous-OS also uses a fixed, password-protected user account, although the password was only made available as an MD5 hash – users must first decrypt the four-character plaintext password before they can log in.
In a statement released late last night, SourceForge explained that it had taken the distribution off its servers as significant concerns were raised concerning the software bundle's authenticity and possible maliciousness. SourceForge stated that while it tends to consider projects to be amoral and thus even host software that could be considered controversial, it decided to take Anonymous-OS down as soon as it became clear that it might include malicious software and did not appear to be officially connected with the Anonymous movement. Almost as soon as the release of Anonymous-OS was announced on a new Tumblr page, the activist group stated via its Twitter account that Anonymous-OS is a fake and contains trojans.
Indeed, this statement cannot easily be refuted, even though an initial analysis by The H's associates at heise Security did not reveal any modified binary programs in the basic system. It is possible that a well disguised malicious program is hiding in the initial ramdisk, the bootloader, or one of the additional firmware files. At the very least, however, Anonymous-OS uses the official Greek Ubuntu package sources and, besides the official keys for the Tor Project, the Mate Maintainer, and the I2P-PPA repository, has not put any of its own keys in the package database that would allow fake packages to start up after a delay and without warning. If anyone wants to risk running the Anonymous Live distribution on their computer, they should understand that it will have access to all the data on the hard drive and to any connected network.
The Live system's software bundle is also highly problematic in other ways, since it includes a number of files that are not allowed to be shared this way, such as Adobe Flash Player, various Windows libraries, and Microsoft Windows fonts. This would in itself have been sufficient reason for the ISO image to have been removed from the SourceForge servers; it is now only available for download via BitTorrent.
- Anonymous supporters tricked into installing Zeus Trojan, a report from The H.