AnonGhost VS Uncle Sam (#OpUSA – May 7, 2015)

Hacking group AnonGhost has published an official video on #OpUSA, its upcoming cyber campaign against the United States. The video, addressed to the U.S. government, does not mention the date of the campaign or the list of targets, but based on the group’s 2013 #OpUSA campaign, it appears that it is set to take place on May 7. The official video’s YouTube page mentions prominent AnonGhost members Mauritania Attacker, An0nx0xtn, DarkCoder, Donnazmi, and Hussein Haxor, all of whom promote the group’s agenda in social networks.

AnonGhost post about #OpUSA
AnonGhost post about #OpUSA

On May 7, 2013, AnonGhost, along with other groups such as the Tunisian Hackers, threatened to hack American government and financial websites. While they were highly motivated, they failed to achieve much other than to deface several websites and leak emails and personal information. A possible reason for their limited success is that several days before the campaign, hackers speculated on social media that #OpUSA was actually a trap set by the federal government in order to expose and arrest the participants.

Partial list of #OpUSA targets in 2013
Partial list of #OpUSA targets in 2013

One of the groups that participated in 2013, N4m3le55 Cr3w, published a long list of recommended DDoS tools at that time, most of which are common hacking tools that are likely to be used in the current campaign as well.

  • HOIC
  • LOIC
  • Slowloris
  • ByteDos
  • TorsHammer, a Python-based DDoS tool created by the group called An0nSec.
  • SYN Flood DOS, a DDoS tool that operates with NMAP and conducts a SYN Flood attack.

Torshammer666 – A New Variant of a DDoS Python Based Tool

Lately we have seen a new version of the Torshmmaer DDoS tool, created by An0nsec hackers. An0nsec hacker group was established at 2012. The group members have links to the infamous hacker group AnonGhost that initiated several cyber operations last year, such as OpUSA, OpPetrol, and OpIsrael. They usually leak details from databases of companies and countries around the world, such as China, Canada and Russia. They also deface websites.

Torshammer is a well-known Python based DDoS script, which is meant for slow POST Denial-of-Service attacks. Originally developed by Packet Storm Security in 2011, it has made the rounds and has been in use by Anonymous, Lulzsec and other Hacktivist groups. As is evident in the name of the tool, it allows the usage of Tor proxies in order to masquerade the attacker’s IP addresses.

The version that we have found (dubbed torshammer666) is tweaked in several places, adding the following functionality to the tool:

Ability to send GET Requests

Up until now the Torshammer tool had support for POST requests, now the ability to send GET requests is incorporated. The GET requests are structured as follows:

GET

The POST request has also changed and the Cache-Control and Accept-Charset HTTP headers have been added to it.

POST

Additional User Agent strings

Torshammer666 now supports three more UA strings:

Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0

Below is a comparison table between the two tools:

User Agent Strings – Torshammer User Agent Strings – Torshammer666
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Googlebot/2.1 (http://www.googlebot.com/bot.html)Opera/9.20 (Windows NT 6.0; U; en)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

Opera/10.00 (X11; Linux i686; U; en) Presto/2.2.0

Mozilla/5.0 (Windows; U; Windows NT 6.0; he-IL) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Firefox/3.6.13

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)

Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100804 Gentoo Firefox/3.6.8

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Googlebot/2.1 (http://www.googlebot.com/bot.html)Opera/9.20 (Windows NT 6.0; U; en)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

Opera/10.00 (X11; Linux i686; U; en) Presto/2.2.0

Mozilla/5.0 (Windows; U; Windows NT 6.0; he-IL) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Firefox/3.6.13

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)

Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100804 Gentoo Firefox/3.6.8

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html),

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)

Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0