Torshammer666 – A New Variant of a DDoS Python Based Tool

Lately we have seen a new version of the Torshmmaer DDoS tool, created by An0nsec hackers. An0nsec hacker group was established at 2012. The group members have links to the infamous hacker group AnonGhost that initiated several cyber operations last year, such as OpUSA, OpPetrol, and OpIsrael. They usually leak details from databases of companies and countries around the world, such as China, Canada and Russia. They also deface websites.

Torshammer is a well-known Python based DDoS script, which is meant for slow POST Denial-of-Service attacks. Originally developed by Packet Storm Security in 2011, it has made the rounds and has been in use by Anonymous, Lulzsec and other Hacktivist groups. As is evident in the name of the tool, it allows the usage of Tor proxies in order to masquerade the attacker’s IP addresses.

The version that we have found (dubbed torshammer666) is tweaked in several places, adding the following functionality to the tool:

Ability to send GET Requests

Up until now the Torshammer tool had support for POST requests, now the ability to send GET requests is incorporated. The GET requests are structured as follows:

The POST request has also changed and the Cache-Control and Accept-Charset HTTP headers have been added to it.

Additional User Agent strings

Torshammer666 now supports three more UA strings:

Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0

Below is a comparison table between the two tools:

User Agent Strings – Torshammer

User Agent Strings – Torshammer666

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Googlebot/2.1 (http://www.googlebot.com/bot.html)Opera/9.20 (Windows NT 6.0; U; en)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

Opera/10.00 (X11; Linux i686; U; en) Presto/2.2.0

Mozilla/5.0 (Windows; U; Windows NT 6.0; he-IL) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Firefox/3.6.13

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)

Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100804 Gentoo Firefox/3.6.8

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)