Cyberwarfare Magazine

Warfare in the Information Age

Posts Tagged ‘Attack

The Palestine-Israeli Conflict on the Web

with 14 comments

As any conflict that happened in the 21st century, there is usually a parallel conflict raging online as well. Either commanded by individuals or groups, which can be helped or not by either government agencies or other interest groups, acts of cyberwarfare are getting more and more common. The conflict in the Gaza strip offers a new opportunity to explore this kind of activity. This time, reports of websites defacement are numerous and ongoing, some reporting that malware is spreaded from hacked websites and even an Israeli botnet is starting to grow in order to attack Hamas supporters servers.

Reports are now growing over hundreds of websites defacements of Western websites by Palestinians supporters1. Various Palestinian groups and supporters have been vandalizing Israeli and other western nation commercial websites by putting propaganda and redirecting to jihadist forums and/or uploading malware on the hacked web servers. Hackers mentioned in the article are Team Evil, DNS Team, Tw!$3r, KaSPeRs HaCKeR CreW, PaLiSeNiaN HaCK, MoRoCcAn HaCkErZ.

Palestinian Propaghanda insert into Defaced Websites

Palestinian Propaganda insert into Defaced Websites

Recently, sites from the U.S Army and NATO have also been targeted by the vandals2. Archived versions of the hacked NATO webpage can be found here and here for the hacked version of the U.S Army website. For now, only defacements have been reported and no real attack has occured. Web defacement is a very easy attack to do on web servers with weak passwords. Most of the time, the attackers are script kiddies using software such as AccessDiver with a list of proxies and wordlists to conduct dictionaries attacks on servers. Using AccessDiver is fairly simple and many tutorials can be found on YouTube. Other ways include of course exploits and SQL injections attacks. Surprisingly, no DDoS attacks have been reported yet, but a group of Israeli students launch the “Help Israel Win” initiative3. At the time of writing, the website was online available through Google’s cache. Anoher website (http://help-israel-win.tk/) has been suspended. The goal was to develop a voluntary botnet dubbed “Patriot” to attack Hamas-related websites:

We have launched a new project that unites the computer capabilities of many computers around the world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state of Israel4.

The website offered a small executable to download. This bot would receive commands as a normal criminal bot would. Hamas-friendly sites like qudsnews.net and palestine-info.info were targeted by the IRC botnet. Still according to the article, the botnet has come under attack by unknown assaillants5. No definitive number is given as to how many machines the botnet is controlling, it might range from anything from 1000 to 8000 machines6. Very few detail is given on how the bot actually works.

There was a very similar attempt to create a “conscript” botnet known as the e-Jihad botnet that failed to realized its objective last year, as the tool was unsophisticated and rather crude7. The e-Jihad tool had the same objective as the Patriot botnet, which was to launch DDoS attacks against various targets.

e-Jihad 3.0 Screen

e-Jihad 3.0 Screen

Nevertheless, this kind of parallel attack is due to become a popular civilian option to attack servers. The only thing needed is to create a solid botnet, by using some of the most sophisticated criminal botnets and transform them into voluntary “cyber-armies”. There is one problem thought…how can we make sure it’s legitimate ? Making such programs open source ? But then you reveal your command and control servers and information that could make the enemy hijack our own botnet. It then all comes down to a question of trust…and of course, a clear and easy way to remove the bot anytime.

See also :

“Army Mil and NATO Paliarment hacked by Turks”, Roberto Preatoni,  Zone-H, http://www.zone-h.org/content/view/15003/30/ (accessed on January 10, 2009)



1“Battle for Gaza Fought on the Web, Too”, Jart Armin, Internet Evolution, January 5, 2009, http://www.internetevolution.com/author.asp?section_id=717&doc_id=169872& (accessed on January 10, 2009)

2“Pro-Palestine vandals deface Army, NATO sites”, Dan Goodin, The Register, January 10, 2009, http://www.theregister.co.uk/2009/01/10/army_nato_sites_defaced/ (accessed on January 10, 2009)

3“Wage Cyberwar Against Hamas, Surrender Your PC”, Noah Shachtman, Danger Room, Wired, January 8, 2009, http://blog.wired.com/defense/2009/01/israel-dns-hack.html, (accessed on January 10, 2009)

4Copied from Google’s cache of help-israel-win.org

5Ibid.

6Hacktivist tool targets Hamas”, John Leyden, The Register, January 9, 2008, http://www.theregister.co.uk/2009/01/09/gaza_conflict_patriot_cyberwars/ (accessed on January 10, 2009)

7“E-Jihad vs. Storm”, Peter Coogan, Symantec, September 11, 2007, https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/170#M170 (accessed on January 10, 2009)

Advertisements

Fun at the Library – Part 1

with one comment

Since this is a slow news day, and I have an essay to handout tonight, I’ll just related one of my experiment I started yesterday. As I have more time, I will push further into the system.

While waiting for a friend, I decided to stop by the library to pass time. As I was there, I was immediately attracted to the nearest computer, the one away from the cameras. Some of the computers are accessible to anyone without need for user codes and passwords. These computers are there only for book searches. About everything is disabled on those computers. The only thing people have access to is an Internet Explorer 6 window giving access to the library’s website only. The window only has the Edition, Favorites and Help (“?”) menus. No address bar but the history can be accessed. There are no taskbar, Ctrl-Alt-Del and Alt-Tab are disabled, no desktop, and the Windows key doesn’t do anything. Trying to navigate to another website by following links won’t resolve. I didn’t had my warkey with me so I couldn’t test if the USB drives were working.

For certain people, i.e. the administrators of the network amongst others, this should be sufficient to prevent people from surfing porn sites and fore bringing the apocalypse on their network. Of course, it is not. First, let’s find a way to access something else. This can be easily done by using a dark and unexplored menu available in every program called the “Help” menu: Help > Index and Summary. This will open the HTML Help window. From there: Options > Internet Options.

Internet Options Accessible from the Help Menu

Internet Options Accessible from the Help Menu

Well that was simple enough right? But it’s not quite what I want. Most of the options are disabled. I can’t use the Temporary Internet Files > Parameters > Show Files/Objects to open an Explorer window. Those are disabled as well:

  • General > Accessibility > Format Documents with my Stylesheet > Browse
  • Confidentiality > Import
  • Contents > Personal Information > Profile > OK > Numerical Identificators > Import

But those are all enabled:

  • Contents > Access Manager > Activate > General > Rating Systems > Add
  • Contents > Access Manager > Activate > Advance > Import
  • Contents > Certificates > Certificates > Import > Next > Browse
  • Contents > Certificates > Editors > Import > Next > Browse

Those options all open an Open File dialog box, from which of course, I can access about everything. First action is to open a command prompt by going to C:\Windows\system\system32 and executing the command prompt program. Up to here, it works. Now we can start to spot vulnerabilities….if needed.

Damn…no time left. Next time I need to get some info about the system. I should remember to:

1) See what is the default account the administrator uses for the users:

C:>echo %userdomain%\%username%

2) : Get the version of Windows XP they are using:

C:>winver

3) While at it, let’s note the version of Explorer they are using and some information about the network…

C:>netstat

I should bring my warkey also, that would make things much easier…

Sorry for the lack of depth for tonight, I know this isn’t much, hopefully this will end up in a fully example of a simple attack against a network.

Written by Jonathan Racicot

December 15, 2008 at 5:10 pm