Torshammer666 – A New Variant of a DDoS Python Based Tool

Lately we have seen a new version of the Torshmmaer DDoS tool, created by An0nsec hackers. An0nsec hacker group was established at 2012. The group members have links to the infamous hacker group AnonGhost that initiated several cyber operations last year, such as OpUSA, OpPetrol, and OpIsrael. They usually leak details from databases of companies and countries around the world, such as China, Canada and Russia. They also deface websites.

Torshammer is a well-known Python based DDoS script, which is meant for slow POST Denial-of-Service attacks. Originally developed by Packet Storm Security in 2011, it has made the rounds and has been in use by Anonymous, Lulzsec and other Hacktivist groups. As is evident in the name of the tool, it allows the usage of Tor proxies in order to masquerade the attacker’s IP addresses.

The version that we have found (dubbed torshammer666) is tweaked in several places, adding the following functionality to the tool:

Ability to send GET Requests

Up until now the Torshammer tool had support for POST requests, now the ability to send GET requests is incorporated. The GET requests are structured as follows:

GET

The POST request has also changed and the Cache-Control and Accept-Charset HTTP headers have been added to it.

POST

Additional User Agent strings

Torshammer666 now supports three more UA strings:

Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0

Below is a comparison table between the two tools:

User Agent Strings – Torshammer User Agent Strings – Torshammer666
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Googlebot/2.1 (http://www.googlebot.com/bot.html)Opera/9.20 (Windows NT 6.0; U; en)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

Opera/10.00 (X11; Linux i686; U; en) Presto/2.2.0

Mozilla/5.0 (Windows; U; Windows NT 6.0; he-IL) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Firefox/3.6.13

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)

Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100804 Gentoo Firefox/3.6.8

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Googlebot/2.1 (http://www.googlebot.com/bot.html)Opera/9.20 (Windows NT 6.0; U; en)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

Opera/10.00 (X11; Linux i686; U; en) Presto/2.2.0

Mozilla/5.0 (Windows; U; Windows NT 6.0; he-IL) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Firefox/3.6.13

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)

Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100804 Gentoo Firefox/3.6.8

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html),

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)

Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0


One thought on “Torshammer666 – A New Variant of a DDoS Python Based Tool

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s