Anonymous Attack Tool Infects Its Own Users With Zeus Trojan
March 5, 2012

Anonymous Attack Tool Infects Its Own Users With Zeus Trojan

Hackers who have downloaded a tool to help Anonymous launch distributed denial-of-service (DDoS) attacks may also have unwittingly downloaded a piece of malware that has compromised their online banking accounts, a U.S. security firm has revealed.

According to John Leyden of The Register, Symantec, the developers of Norton Antivirus software, discovered that those who have recently downloaded the Anonymous 'Slowloris' tool used "to flood websites with open connections and ultimately knock them offline" have also wound up having a strain of the Zeus Trojan installed on their computer.

This piece of malware does not prevent the intended DDoS attack from occurring, but before beginning the process, it can reportedly swipe the user's banking information, webmail login information, cookies, and more. Security Reporter Matt Liebowitz claims that the addition of the malware to the Slowloris tool on January 20, the same day as an FBI-led sting on the file-sharing website Megaupload. In the hours following the raid, blogs and Twitter accounts encouraged users to download one of the DDoS-initiating programs, thus allowing attacks against the FBI, the U.S. Department of Justice, and several entertainment industry groups to be launched by their own individual PCs and laptops.

In a post detailing the discovery, a Symantec Security Team member explained that the unidentified hacker behind the attack altered a popular, Anonymous-affiliated PasteBin guide to include a link to a version of Slowloris that contained the Zeus worm. The file size of the original, unaltered version was listed at 58kb, while the modified version -- the one containing the Trojan -- was listed at 508kb in size.

When the modified file is downloaded, the Zeus or Zbot botnet client is installed, Symantec said, and afterwards " the malware dropper attempts to conceal the infection by replacing itself" with the actual tool. Thus, first the Zeus client is "actively used to record and send financial banking credentials and webmail credentials to the botnet operator," and then it carries out the DDoS attacks against the sites originally targeted by Anonymous.

As a result, the antivirus software developed and security company said, "Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen."

In response to the news, on Saturday David Murphy of said that victims of past Anonymous attacks were "undoubtedly enjoying a bit of schadenfreude this weekend." Meanwhile Leyden noted that while the organization itself tends to be "highly antagonistic to white-hat security firms, especially Symantec," that they were "happy to endorse" the company's warning on this occasion, using Twitter to help spread the word.


On the Net: