Saturday, January 26, 2013

Anonymous allegedly strikes ussc.gov

According to mashable.com, Anonymous defaced ussc.gov and posted a YouTube video describing their intentions (embedded in the article) to declare "war" on the U.S. government in response to Aaron Schwartz' suicide. 


They encouraged people to download "warheads" to be launched at supposedly vulnerable assets within U.S. government networks.

In the YouTube video, it shows a file name with the words "aes256" at the end, which I guess means they files were encrypted with aes256. The video also advertises the location where you can download these alleged "warheads," which is just a pastebin link. Once you visit the pastebin link, you see a text file calling for action on Twitter as well as mirror sites from which you can directly download these "warheads."

Out of curiosity for what these alleged warheads contained, I fired up Firefox with NoScript and HTTPFox activated to see if the access to the warheads was just a front to compromise some systems. The first mirror I tried delivered a 503 service unavailable message, meaning either the site was taken down on the server or it crashed from too many people trying to access the files. The other three mirror sites are currently still active. I visited one to download a file.

With HTTPFox loaded, I can see there are no secondary scripts or modules loaded, and no XSS calls. The request is just a standard GET request. The scary part is that there were no file extensions, but the server offers the files up as "text/plain" mime-types.

These files each appear to be over 100 MB and are delivered as text files. The text is rendering in the browser, completely encrypted. The sizes are broken out as follows:

Scalia.Warhead1 - 150MB

Kennedy.Warhead1 - 108.3MB

Thomas.Warhead1 - 150MB

Ginsburg.Warhead1 - 150MB

Breyer.Warhead1 - 150MB

Roberts.Warhead1 - 22.7MB

Alito.Warhead1 - 150MB

Kagan.Warhead1 - 132.7MB


The different file sizes could mean different things. Maybe during their upload they were truncated due to early disconnect from whoever uploaded them, I'm not sure. It seems the common factor is 150MB.

Forensics analysts, please step forward...