Web Site Takes Down Risky Anonymous OS
The site, a significant distribution channel, took the unusual step Thursday after security experts and hactivist collective Anonymous, which denied involvement in the OS project, warned that the software could be riddled with viruses. More than 26,000 people reportedly downloaded the OS in less than a week.
Anonymous OS creators, which have not identified themselves, claimed affiliation with Anonymous in releasing the software that security vendor Trend Micro said contained tools for sniffing out database vulnerabilities and for cracking passwords, the BBC reported. In general, the OS appeared to be an inferior version of Back Track, a Linux-based operating system that comes with security tools preinstalled.
Despite the creators' claims, SourceForge said it saw no evidence Anonymous was involved and was particularly concerned that the developers had not said what was in the OS.
"It is critical that security-related software be completely open to peer review, so that risks may be assessed along with benefits," the site said in its blog. "That is not available in this case, and the result is that people are taking a substantial risk in downloading and installing this distribution."
The lack of transparency coupled with the creators' erroneous Anonymous connection led to the decision "to take this download offline and suspend this project until we have more information that might lead us to think differently."
In removing the OS, SourceForge made it more difficult for developers to distribute the software, which had yet to present a serious threat. "Anonymous OS isn't a threat to the average guy in the street or to office workers," Graham Cluley, senior technology consultant for security vendor Sophos, said in the company's blog. "The only people who might be impacted by it are those who are foolish enough to knowingly install unknown software onto their computers."
Such carelessness snared Anonymous hactivists last month. Members of the group were tricked into downloading a booby-trapped tool used to launch denial-of-service attacks against Web site, vendor Symantec reported. The Slowloris tool included malware capable of stealing online banking and Web mail credentials.