LOIC DDoS tool – is it 'safe' for the user?

Writing in the Imperva Data Security Blog, Rob Rachwald notes that by 22 April, downloads in 2012 surpassed the total for 2011 – that’s “142 downloads per hour,” he notes. “The US, France and Brazil were the respective gold, silver and bronze medalists,” with France rapidly overhauling America. Downloads in Germany, however, are decreasing.

LOIC is a simple application that allows users to – illegally, it has to be said – take part in a distributed denial of service attack without needing to be a computer expert. It does little more than repeatedly send requests to the target web server. A single canon doesn’t have enough fire power to harm the target, but LOIC users effectively become a willing partner in a botnet that can be controlled and directed from an activist command server.

There is some controversy over the potential danger to the user in using LOIC. Anti-virus products can detect it, leading some users to believe that the whole concept is a ploy by hackers to use the download to infect their computers. This is unlikely. LOIC is open-source, which would make it effectively impossible to infect without someone noticing. It is LOIC that is detected, not a separate infection within it. “Trend Micro started detecting it in 2010,” Rik Ferguson, director of security research told Infosecurity. “But since it is manually installed, used voluntarily and very transparent about what it does, it is not strictly malware. We detect it as a ‘hacker tool’.” Sophos has detected LOIC as a ‘potentially unwanted application’ since 2008.

Luis Corrons, technical director at PandaLabs, takes a similar view. “LOIC is not a malicious file per se,” he told Infosecurity, “it is a tool which can be used for malicious purposes. Therefore, it can be detected or not, depending on each vendor. If detected, it should be detected as a hacking tool, as in some environments the user may want the option to work with it – otherwise it could be considered a false positive.” Running a scan in VirusTotal, he adds, shows that 26 out of 42 scanners detect it, and most of them as a hacking tool.

The main danger to the user, of course, is potential detection and subsequent prosecution by the authorities. If cloud-based anti-virus finds malware, and has the facility to report back to the vendor, the question then is whether the vendors have a duty to report that to the authorities. “When it comes to disclosure,” said Ferguson, “most vendors will only give up data to law enforcement regarding their own customers on receipt of the required legal documentation to force them to do so, and that definitely includes Trend.” Corrons agrees, “no vendor will report it to authorities. Furthermore, we  cannot know if the user was using it to perform an attack, and in our case, even though our cloud system communicates with the client system, we cannot identify who that user is. We create a unique identifier for each computer, and we cannot trace back a computer based on that unique id. We cannot store nor trace IP addresses either.” 

“No, I don't think we have any responsibility to report the existence of LOIC that we detect on customers' systems to the authorities,” Sophos senior technology consultant Graham Cluley told Infosecurity. “We tell the customers what we find, and in some cases they're quite happy with it.” Since LOIC “can legitimately be used as a network stress tool,” adds Ferguson, “an automatic assumption of guilt would be very wrong.”

The one potentially dissenting voice came from Kaspersky. “LOIC is normally used in denial of service of service attacks,” security researcher Ram Herkanaidu told Infosecurity. “They are mostly targeted attacks against web servers and as such will normally get under the radar of traditional and cloud based detection systems. Like other security companies, Kaspersky operates ethically and engages with other vendors and law enforcement to help bring down networks that facilitate these type of attacks like for example the recent Hlux/Kelihos botnet.” The implication is that Kaspersky would consider a LOIC-led DDoS attack as just another botnet, and act accordingly.

The general consensus, however, is that law enforcement will not automatically get support from the anti-virus industry. It therefore needs either to prove that a particular computer was engaged in a DDoS attack, or to catch it in the act. The former can be difficult since an effective DDoS will prevent the target creating the logs that can provide the proof; while in the latter case, the user would likely just deny all knowledge and claim that his computer had been infected with LOIC without his knowledge.


What’s hot on Infosecurity Magazine?