Skip the navigation

LulzSec's parting Trojan is a false positive

By Robert McMillan
June 28, 2011 04:14 AM ET

IDG News Service - The LulzSec hacking group sailed off into the sunset Saturday, leaving behind a treasure trove of stolen data along with what some antivirus programs identified as a nasty surprise for anyone who downloaded the Torrent file: a Trojan horse program.

But not so fast. On Monday several antivirus vendors took a close look at the file in question and decided that the program wasn't actually harmful. Consider it an inadvertent parting prank on the security industry the hacking grew took such delight in tormenting. More Lulz for the Lulz Boat.

Early in the day, 26 of the 42 security companies whose scanning products can be tested on the VirusTotal Web site reported that a file within LulzSec's "AT&T internal data" folder was malware, designed to give hackers remote access to the victim's computer.

But by Monday night Kaspersky Lab, McAfee and Trend Micro all reported that this was incorrect. According to Roel Schouwenberg, a researcher at Kaspersky Lab, other companies are flagging the file as a Trojan because it used pirated WinRar compression software that made the file look very similar to known malicious programs. These pirated compression programs are often used to compress malicious files and "a lot of companies are quite aggressive with these detections," he said in an interview.

In its final press release, LulzSec blamed the whole thing on AT&T, warning readers not to open the file and saying, "it is malware (due to AT&T using a pirated copy of WinRar)"

The file in question has reportedly been pulled from the LulzSec torrent, but the incident added to the chaos and confusion that the LulzSec crew seemed to love leaving in its wake.

LulzSec took particular pleasure in causing trouble for security companies, especially those it saw as aiding its enemies -- such as Prolexic, a provider of denial-of-service attack mitigation services, thought to be securing Sony's networks, and Endgame Systems, a company with links to the U.S. Central Intelligence Agency. The hackers released dox -- dossiers of information including phone numbers, addresses and online profiles of the executives at these companies and their family members.

They also hit two Infraguard websites, set up by the U.S. Federal Bureau of Investigation to encourage corporate security teams to share information with each other and the federal government.

LulzSec said it was taking aim at "the government and whitehat security terrorists across the world. With their very public hacking and data dumps, they also caused problems for security staffers at the companies they broke into. But the group blamed its victims for not patching their security flaws. "When Sony and FBI affiliates fail to protect themselves against entry-level haxing, there's a problem," LulzSec said in a June 19 Twitter message.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies