Home » Blog » Developing world » Install a trojan for Israel? Uh, no thanks.

Install a trojan for Israel? Uh, no thanks.

During the conflict between Russia and Georgia this past summer, my friend Evgeny Morozov decided to study the dynamics of “cyberwar” by becoming a partisan. He lurked on Russian-language bulletin boards and followed instructions to download software that would allow him to participate in distributed denial of service attacks against Georgian websites. Some were simple webpages with a few lines of javascript designed, essentially, to press the reload button over and over. Others were slightly more sophisticated, written as .BAT files, but essentially using the same methodology. (Morozov, to be clear, isn’t especially sympathetic to the Russian cause, and it’s unlikely that his brief stint as cyberpartisan did any significant damage.)

It’s becoming increasingly common for realworld conflict to include a digital dimension, typically attacks designed to disable websites that promote the other side’s cause. In an article last summer, I questioned whether this form of activity really deserved to be called “cyberwar” as it’s not an attack on their forces or infrastructures, more analagous to graffiti than grenades. I got a lot of feedback on that story, including observations from some in the security community that there appeared to be two levels of hacking going on: the “kid’s stuff” that Morozov documented and larger attacks that some felt bore the fingerprints of commercial hacking groups like the Russian Business Network.

Against this backdrop, it’s not surprising to see hackers working in support of Israel and Palestine during the current Gaza conflict. Zone-H.org, a site that tracks website defacement and other forms of hacking, offers some interesting screenshots of US military sites defaced by Turkish hackers in support of Gazans. But what’s got cyberwar geeks buzzing is the “help-israel-win” project put together by a group of Israeli students and hackers.

The group’s website – which is moving around as pro-Palestinian hackers flood it with DDOS attacks – invites partisans to download an .exe file, install it on their computers and start it from a link on their desktop. The website – with instructions available in Hebrew, English, French, Spanish, Portuguese and Russian – doesn’t make it very clear what the tool does: “We created a project that unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state of Israel. The more support we get, the efficient we are!” In response to apparent user concerns, it includes the reassurances, “The file is harmless to your computer and could be immediately removed. There is no need for identification of any kind – anonymity guaranteed!”

Bojan Zdrnja of the Internet Storm Center has been analyzing the program and offers some good technical reasons (aside from whatever political reasons you might or might not have) to install the software. The code is obfuscated to make it harder to analyze, but he was able to determine that the program connects to one of thirteen IRC servers, where it waits for instructions for a target to attack. This is the working method used by botnets, collections of computers compromised by trojan horse software so that the botnet controller can unleash massive denial of service attacks. These attacks are usually a form of extortion – this excellent piece by Evan Ratliffe helps explain some of the economics behind the attacks and the measures some are taking to fend them off.

It appears that the “help-israel-win” folks are asking partisans to voluntarily join a botnet, which could be pointed at pro-Palestinian websites. In his analysis of the software, Zdrnja saw no evidence that the botnet was actually attacking anything – his client connected to an IRC room and waited for instructions, indefinitely. He worries, though, that the client has the ability to update itself and might currently be in a dormant state. If that’s the case, it’s easy to imagine an update that makes the software uninstallable, allowing the machine to be used as part of a botnet aimed at an arbitrary target.

In the grand scheme of things, this isn’t a huge technical development. By some estimates 1/4 of all Windows PCs are part of one or more botnets, and this new botnet would be quite modest in comparison to the commercial botnets discovered by police and system administrators. What’s interesting is the way in which citizen propaganda and hacking are coming together.

Pro-Israel netizens already have robust tools to allow them to support Israel’s political communication strategy. Give Israel Your United Support offers a downloadable tool that identifies online stories, surveys and other places where pro-Israel comments and votes can be left online. The tool urges partisans to respond to each of these stories – as anyone who’s run a media organization that reports on Israel and Palestine, stories on the conflict routinely generate 5-50x the traffic of other stories, in part due to efforts like GIYUS.

I suspect it’s a small step, conceptually, from downloading a tool that prompts you to post comments to one that controls your computer as part of a DDOS attack. There are, of course, a couple of critical differences. Join “help-israel-win” and you’re breaking the law in most jurisdictions. And you’re giving a group of Israeli hackers unprecedented access to your computer, including the ability to install software which would let them index your hard drive or attack random targets across the web. (Wouldn’t it be ironic if RBN or others had started a project based on nationalist sentiment designed to open back doors in computers to compromise them for commercial purposes?)

I’ll be very interested to see whether this idea takes off, either growing a robust botnet around this project or being adopted by other “cyberwarriors”. Whoever’s using these tools, this looks a lot like the dark side of Clay Shirky’s “ridiculously easy group forming”. It’s one thing to form groups to debate and counter opinion online – forming groups to shut down websites looks a lot like gang thuggery to me.

Thanks to Ron Deibert for pointing me to the Wired article on the “help-israel-win” project.