Rumors of LuzSec's Demise are Greatly Exaggerated

Sunday, June 26, 2011

Kevin McAleavey



The media has been reporting that Lulzsec has folded, but they've merely gone underground and are regrouping.

@Lulzboat on twitter has now become @lulzb0at and combined with AnonOps and AntiSec, releasing the following announcement on their IRC subchannels:

About AntiSecPro Security Team
Channel: #antisecpro
This Channel is invite only so if you want to ask questions please /msg antisecpro
If you are thinking of being a member or helper of our team please understand that this isn't going to be some kind of immediate start hacking group. Currently we are developing structure and hierarchy. This will most probably be a slow moving, carefully thought-out process in order to ensure that the founder and co-founders agree on the progress/direction. Any person, helper or other individual can offer suggestions covering agenda, direction, structure and protocol of operation.

Only individuals who are respectful, drama free and not impeding progress will be allowed involvement with our team regardless of status. The end goal is to be a team powerful/versatile group of serious like minded/structured peers. It is very important that any member of this team to not offer or expose any type of information that may identify themselves. It is also strictly prohibited to ask for any information about an individual which at minimum includes, name, location, picture and gender rather it be to the individual personally or via another source. It is your responsibility to protect this information, also to report to one of the founders so measures can be addressed.
As far as our general agenda, we stand for nothing and everything. We will never accept any sort of label or common stereotype such as white,black or gray hat hackers. Our team will never be labeled a hacking group, only a security team. This does not mean we are obligated in any way to restrict affiliation with any type of other security individuals or teams whether it be illegal or legal. This group is about education and real life exercise of what we know and learn. We considering computer security and hacking equally correlated to each other. Consider the well known saying "necessity is the mother of all creation". Necessity represents "the process of discovering the insecure" and mother represents "Security", to protect. The process of penetration, exploitation and hacking only progresses the necessity for better security and product development. This promotes more advanced technology and a better experience for the majority of computer users.
This is all for now! Welcome to AntiSecPro Security :)


The new operation has even opened up a school for new "hackers" at:

Therefore, be advised that LulzSec hasn't gone away, they've merely performed yet another diversion and are regrouping. At their school are numerous IRC logs of lessons on SQL injection, html attacks and presumably more. They have also handed out source code for numerous attacks including code for the zeus banking trojan for their bot-herders to make use of. More releases from the LulzSec operation will likely be available before Monday as well and the usual suspects are hard at work in their new role "for the next 50."

Of course, we all know they're not really going away. Their mayhem will continue under new ship's registry under #AntiSec and #Anonymous with the same crew as noted in the #AnonymousIRC twitter section:

AnonymousIRC We like to assure all fellow Lulz Lizards that and will continue to sail the stormy seas for booty and Lulz. LET IT FLOW »

The Real Sabu by AnonymousIRC We are working under the flag now gentlemen. LulzSec will live on forever as a successful operation. Much love to all »

AnonymousIRC may fade away but all fellow lizards can rest assured that will not. LulzSec was our vanguard, now it's time to sail free! »

The Real Sabu by AnonymousIRC Good work my brothers. 50 days of unstoppable action. Now onto for another 50


About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( ) and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
Information Security
Network Security Hacktivist hackers IRC AnonOps Lulzsec AntiSec
Post Rating I Like this!
Jamie Adams Excellent note. As a side note, I followed the link and the page came up for a brief few seconds and then my Firefox 4.0.1 browser on openSUSE 11.4 crashed. HHHmmm.. I am very concerned now. I am currently scrubbing my machine and making sure everything is okay.
Anthony M. Freed @Jamie - Interesting considering the "50 days of Lulz" file was infected - are they just setting traps to build up their zombie botnet?? Please let us know what you find in there...
Jamie Adams Well.. after the initial sweat bead I think I might be okay. Anthony, that was my first thought and said to myself, "You idiot."

Nonetheless, I did a bunch of precautionary steps to include cleaning out cache history, cookies, checking the integrity of files on my system and package manifests. I doubt it will do much good but I ran a full ClamAV file scan on the system, too. Additionally, I immediately changed several online passwords. Then I went to a virgin, virtual machine and performed a command line curl on the URL. The downloaded file was huge and I feel that may have been the cause. I don't see anything "dangerous" in the HTML code. The content is a bunch of chatlogs on "hacker" training. I also examined the Firefox crash report and it seems to glibc runtime error.

I am still going to report it to my internal IT support team to keep an eye on it. I won't hesitate to "slick" the machine on a moment's notice.

If anyone has suggesstions or tests, let me know.
Kevin McAleavey Hi there and apologies for the blood pressure ceremonies there. Just so everyone knows - whenevr I do research, I do it within our KNOS operating system and carefully check any links and their diversions before I would ever share them with anyone else on an OS with the potential for "pwnage." I just doubled back and rechecked and all of the links I provided are safe to navigate. I'd say it's a safe bet that Firefox 4 did one of its sideways acts and simply ran itself out of memory. We wanted to include FF4 in KNOS but found that it was just too unstable for us at the time of our latest release.

In the event that anything is dodgy in any way, I will always obfuscate the link and provide additional warning prior to the link if there's any risk to visiting.

That said, it's still a good idea when treading shark-infested seas to VM or sandbox or use a non-Redmond OS to observe the hijinx of children on the rampage. But in any of the articles I've presented so far, no dangers or I wouldn't have provided the links.
Jamie Adams @Kevin.. thanks for the additional information. I am pretty confident that it was just a glibc runtime error due to the size of the download. And I never use Redmond-based stuff!!
Kevin McAleavey You're welcome! The thing that piqued my interest in the shens personally is that I'm responsible for an operating system that we've created and when I saw the trading of so much Linux shellcode and exploits back and forth, I became very concerned about the risks to our own product. As a result, I was going out of my way to see what they had and whether there were any concerns for our BSD-based one. Thus the level of caution and examination on our end was fairly serious. And as a practitioner with a reputation to protect, I'm not going to allow others to fall victim either.
cliff sull re: Infected 'links' being posted. Anthony and Jamie - have you even considered if it is these groups posting the 'links' or infiltrators working for Government? Just a thought ;)
Who is who? LULZ ;)
Marty McFly I own and hadn't checked on it in a long while, so I was not even aware of the "school" until just now. The domain is for sale. So is Best offer.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.