Engame Report

"LOIC was originally developed by a private cyber security firm as a tool for stress
testing websites. This firm uploaded the source code to SourceForge and abandoned it
there for a number of years. Written in C#, it was later updated by a third party to
include a hivemind mode, which essentially takes advantage of an IRC channel
controlled by the organizers to execute a mass DDoS attack. It is this IRC channel
that represents the most potential for exploitation. The joined LOIC clients only
receive commands from operators, administrators, or owners of the joined IRC channel.

Exploitation of the IRC channel to allow privileged access would enable the user to
stop, redirect, or otherwise manipulate the attack. However,it is unlikely that
attacks on individual LOIC participants would be effective: while their IP addresses
could conceivably be collected upon their joining the IRC channel, it would be
difficult to gather this information from passively existing in the channel. This
is because the constructor for the client hard-sets relevant information that other
clients display to null values (Appendix B: Code Sample). As a result, other methods,
such as control over the server or DNS request analysis must be used to monitor connections. Connections can be detected post-attack via logs of the victim.
Additionally, particularly savvy users could selectively use various proxy systems
to obfuscate their connections to the command and control server, while still
performing actual attacks from unmodified Internet connections.

Because the LOIC client is open source, there is the potential that attack-specific
clients could be created trivially, although there is no evidence that this has
happened. Additionally, the open-source nature of the client works to prevent
tampering of the source code by outside parties. Attempts to backdoor the client
have been quickly uncovered*. However, work could be done to monitor less anonymous IRC
channels during non-attack times. Larger networks exist, and the participants may not
necessarily try to hide. Additionally, these backdoor fears may lead to abandonment
of the LOIC software; however, as of January 2011, many potential participants are
still referred to the SourceForge links to download."