Previously, Low Orbit Ion Canon (LOIC) was the go to weapon for Anonymous supporters during protests against dictators in North Africa, and Operation: Payback. However, LOIC is also the reason scores of people have been arrested in the last year, so many feel its time is at an end.
In the end, the server succumbs to resource exhaustion due to #RefRef’s usage. An attack vector that has existed for some time, resource exhaustion is often skipped over by attackers who favor the brute force of a DDoS attack sourced from bots or tools such as LOIC.
“Imagine giving a large beast a simple carrot, [and then] watching the best choke itself to death,” explained the Anon promoting the tool.
Based on the screenshots presented of the tool, as well as passive comments by its promoter, we asked how it was different from a script that automates a person simply pressing F5 continuously.
As it turns out, the attack is launched client side, and will send a separate script in the connection request made to the target server. This request is actually the exploit itself, and once the server renders the code, it will continue to render it until crashing. In essence, the stronger the server, the faster it crashes.
Asked if the vulnerability being exploited could be patched, the Anon responded that it could, but added that administrators would have to “mass-patch” a file that actually affects many services.
So patching is unlikely to stop it because, “most SQL servers are pulling from a master SQL host” and the tool itself targets “one of the most common SQL services, but also one of the most widespread,” the Anon added, but would not get into further details.
Most of those calling for the replacement of LOIC do so because of how it cannot hide the person launching an attack, much to the amusement of federal law enforcement. However, #RefRef still relies on a person attempting to hide themselves before using it. So while there is a stronger impact for a given attack, it isn’t really hiding anyone.
Given that the tool leverages exploits to work, it is likely that its code will be reversed, and patches made available to the various SQL platforms. However, patches will need to be applied if the issues targeted by this new tool are to be properly addressed.
"This tool only makes you vulnerable if you don't keep your systems patched, perform the basic security, which is how Sony got caught with it's pants down. It axed huge swathes of it's IT security a little while before it got pwned," another Anon on IRC said, when asked his opinions on the tool.
“Basically, [Sony] decided that basic maintenance wasn't good ROI…It's companies like Sony - making idiotic decisions like that - which will be vulnerable to this tool. Proper companies staying on top of things won't be vulnerable after the fifth or sixth attack, at which point patches will be out.”
We’ll keep an eye on news related to this new tool and report information as we get it.