Thursday, June 30, 2011

Lulzsec's last ever data dump includes malware

LulzSec's last set of "booty" contained malware, and although the now disbanded hacker group placed a warning about the Trojan Horse in their "press release," you had to read the fine print to be warned about it.

Way at the bottom their announcement the group posted the following information:
Note: In "AT&T internal data.rar", do not open "BootableUSB/Program Files/WinRar/WinRar v3.71.exe", as it is malware (due to AT&T using a pirated copy of WinRar).
First, why didn't they just remove that before posting it? Second, why would AT&T be using a pirated copy?

Kaspersky Anti-Virus 2012Interesting that they would have embedded WinRAR itself in the RAR file. To open it, you'd either need WinRAR or some other program that can open RAR files (like the open-source 7-zip).

The file is no longer available via The Pirate Bay BitTorrent site, as it was removed over the malware. It may reappear in scrubbed form. Still, those with sufficient security software should have been protected from infection.

On InfoSec Island, a website for IT and security professionals, security expert Kevin McAleavey wrote,
"It turns out that the RAR file offered as a torrent download is infected with a backdoor of the 'RBOT' class of malware. This type of malware was commonly used by the lulzsec 'hackers' to own other machines, but is a different variant of the tools they normally used to expand their botnet."
Based on that, it sounds like LulzSec might have planted the malware itself, but they why warn about it, even in a footnote. McAleavey wrote the respected "BOClean" anti-malware software which was later acquired by security firm Comodo.

In addition to the Trojan, LulzSec's last drop of data included information about AT&T's LTE rollout, data from an external NATO-affiliated site, and more.

LulzSec suddenly quit last Saturday, after only 50 days of "lulz." It's suspected that they may have felt the heat of law enforcement or other hackers.



No comments: