[ISN] Fluffy Bunny No Longer Energized

From: InfoSec News (isnat_private)
Date: Tue Jul 30 2002 - 00:31:17 PDT

  • Next message: InfoSec News: "Re: [ISN] Fluffy Bunny No Longer Energized"

    By Brian McWilliams   
    July 29, 2002 
    At the height of its game last year, a loose-knit hacking group
    calling itself Fluffy Bunny appeared able to break into websites at
    For a six-month period starting in mid-2001, Fluffy Bunny penetrated
    the networks of several top Internet firms, including Exodus, VA
    Software and Akamai. In effort to expose what it saw as frauds and
    poseurs, the cracking group also vandalized websites operated by
    leading computer security outfits, including the SANS Institute.
    Fluffy Bunny's unique brand of security mischief -- along with its
    pink toy-rabbit mascot -- created Fluffy admirers even among computer
    system administrators and security professionals.
    But Fluffy Bunny dropped the ball on its most outrageous plan -- an
    operation that members referred to as "The day the Internet stood
    Using their undetected toehold in Akamai's network, last year some of
    the group's members contemplated a massive, distributed
    denial-of-service (DDoS) attack on the Internet's 13 domain-name root
    servers, according to a source close to Fluffy Bunny.
    The attack would have marshaled the global network of 12,000
    high-bandwidth systems operated by Akamai. These systems are designed
    to speed up Web surfers' access to content at high-traffic sites,
    including Yahoo, MSNBC, Microsoft and Whitehouse.gov.
    If successful, such a bludgeoning of the Internet's nerve center could
    have paralyzed the Net far beyond the brief, localized outages
    experienced by big sites during the historic DDoS attacks of early
    2000, according to experts.
    To commandeer the attack, hinted at in the text of one of the group's
    defacements, Fluffy Bunny would rely heavily on a set of proprietary
    files members stole from an internal Akamai server in April 2001.
    Copies of the archived files -- which included around 100 MB of Akamai
    source code, private encryption keys, and internal company
    documentation -- were provided to Wired News last week by the
    anonymous source.
    According to Akamai, the purloined files currently pose no threat to
    the company's content delivery network or to customers. Spokesman Jeff
    Young said this week that Akamai took "appropriate action" when it
    learned of the intrusion on its network last year.
    "While no systems are completely invulnerable, we do not believe the
    information alone could enable attackers to devise programs to exploit
    our network," said Young, who declined to detail the steps Akamai took
    to mitigate the risk created by the file theft.
    Contained in the stolen Akamai archives are two chapters of a document
    titled "Akamai Secure Communications Infrastructure" that is labeled
    internal-use only. Also included are programs for deploying software
    over the network to Akamai's servers.
    The archives additionally contain a collection of public and private
    encryption keys, which may have been used as part of a scheme for
    authenticating Akamai customers when site content is updated. Also
    included is source code to what are apparently programs for
    communicating with Akamai routers. Binary copies of the proprietary
    build of Linux operating system software used on Akamai's servers are
    also part of the package.
    Although the files do not appear to be in wide circulation, Akamai
    requested that Wired News not publish the file names of the stolen
    Aside from offering a potent army of potential DDoS attack agents,
    Akamai's network also poses as a tantalizing target for website
    defacers, according to a senior security analyst for a major
    consulting firm.
    "The idea of attacking Akamai has been floating around in various
    hacker circles -- black, gray and white -- for over a year. How else
    could you get a controversial message to a ton of people very quickly
    and all at the same time?" said the analyst, who asked not to be
    But even with knowledge of the inner workings of Akamai's security
    infrastructure, attackers would be unable to easily seize control of
    its network, according to Steve Gibson, a software developer who
    operates the security information site Grc.com.
    "If all of the Akamai servers were turned into attack agents, that
    obviously would be really bad, but I don't think Fluffy got the keys
    to the kingdom," Gibson said.
    The complexity of Akamai's infrastructure, as well as its strong
    authentication technology, would likely frustrate the hackers despite
    their possession of key internal documents and programs, according to
    "That's probably why Fluffy never used it. 'The day the Internet stood
    still,' never happened, and it's been over a year that they've had
    this information," Gibson said.
    Indeed, Fluffy Bunny has been stymied in the past. Unable to hack
    directly through the defenses of SecurityFocus.com, in November 2001
    the group instead compromised a small, online advertising company, so
    that banner ads with its trademark pink bunny rotated onto the
    SecurityFocus site for several hours before being detected.
    But it may ultimately have been law enforcement -- not insurmountable
    technical obstacles -- that reined in Fluffy Bunny's hacking hubris.  
    Two key Fluffy members, a European and an American, were arrested last
    year according to sources familiar with the investigation.
    The defacement archive at Alldas.org shows no website attacks
    attributed to Fluffy Bunny since early this year.
    The FBI and federal prosecutors would not provide specifics on their
    pursuit of the group, citing the ongoing nature of the investigation.
    Its brief tenure in the limelight as the Internet's savviest hacking
    crew seemingly over, Fluffy Bunny appears to have gone underground for
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 03:31:08 PDT