Anonymous tricked into installing Trojan

Anonymous tricked into installing Trojan

Summary: Two months ago, an unknown attacker slipped in a Zeus-infected version of Slowloris into the list of DDoS tools that Anonymous has been distributing to its supporters, according to Symantec.

SHARE:
TOPICS: CXO, Security
27

Update: Anonymous reacts to Symantec Trojan report

Anonymous supporters who willingly used their PCs to participate in the group's Distributed Denial of Service (DDoS) attacks may have unknowingly handed over their personal e-mail and banking information in the process. In January 2012, an unnamed attacker took Slowloris, one of the DDoS attack tools popular with Anonymous supporters, and rigged it to include the Zeus Trojan. The individual copied and pasted an original Anonymous Pastebin entry offering the actual tool and replaced the download link with his own infected version. It just so happened that this post went viral among Anonymous supporters. To this day, it is still being shared on Anonymous blog posts and via Twitter.

If you haven't heard of Zeus, it's a Trojan horse that steals banking information via two methods: man-in-the-browser keystroke logging and Form Grabbing. First identified in July 2007, Zeus is spread mainly through drive-by downloads and phishing schemes, and its various variants have already infected hundreds of thousands of PCs. Now it looks like Zeus has been used to steal financial data from Anonymous supporters.

The story begins on January 19, 2012, when authorities raided Megaupload, and Anonymous hackers retaliated by taking down DOJ, RIAA, MPAA, Universal Music websites, among others. That day, Anonymous released a list of several different DDoS attack tools under a guide referred to as "Tools of the DDoS trade" and "Idiot's Guide to Be Anonymous." Under "Operation Megaupload," supporters were urged to download one of the tools, which would enable them to contribute to the DDoS attacks with their own computers.

In the following weeks, the compromised DDoS tool may have also been used in attacks on several U.S. government websites to protest the government's support of the Anti-Counterfeiting Trade Agreement (ACTA) and against Syrian government websites. Since the modified Slowloris link was on the list, countless people who thought they were simply supporting Anonymous' mission were actually compromising their own financial security.

Security firm Symantec has the details:

An attacker took a popular PasteBin guide, used by Anonymous members for downloading and using the DoS tool Slowloris, and modified it. In this modified version, the attacker changed the download link to a Trojanized version of the Slowloris tool with matching text. Later that same day, a separate Anonymous DoS guide was posted on PasteBin which included links to various DoS tools. Slowloris was included in this list of tools—the Trojanized version copied from the modified guide.

Once downloaded, installed, and executed, the infected version of Slowloris uses the Zeus botnet client to send login credentials and cookies to the criminal's C&C server. In typical Trojan fashion, the botnet also orders the Slowloris tool on the infected user's computer to attack Anonymous targets, ensuring that the victim still sees the tool do what he or she expects it to.

It's not clear how many Anonymous supporters used the infected Slowloris, so there's no way to gauge how many were (or still are) unknowingly transmitting their own bank account data to a remote server. Security companies have previously warned Internet users backing Anonymous not to participate in the DDoS attacks because they are breaking the law. Now, Symantec says they "may also be at risk of having their online banking and email credentials stolen."

Update: Anonymous reacts to Symantec Trojan report

See also:

Topics: CXO, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • No honor among thieves

    You know how the saying goes - there's no honor among thieves.
    CobraA1
    • On the other hand..

      If you were a government seeking to discredit Anonymous, what better way than to compromise their site in this fashion and make it look like another rogue group did it.
      sullivanjc
  • *BOOM*

    "Anonymous" hoist by their own petard. Delicious!
    M.R. Kennedy
  • BAH-HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!

    Good.
    Hallowed are the Ori
    • Sweet!

      Very nice that they're warning their own followers to watch out for malware. Just gotta laugh.
      boomchuck1
  • So kind of a case of reaping what they sow?

    Too bad. Now this would have been great if the FBI had modified it to send all that personal data back to them.
    Dr_Zinj
    • That's what I wondered

      A law enforcement agency could have done this, then the banking info is sent back, and that used to track those participating in the anonymous activities. There is just a whole host of possibilities. Or, it could just be a member of anonymous who got PO'd at another member and started a game of "I'll show you!"
      GSG
      • Most likely the latter

        If the FBI got caught doing something like this, there would be all sorts of bad PR (especially under a Democratic administration). I'm thinking that this is almost certainly a private effort.
        John L. Ries
      • Forget law enforcement

        CIA... To fund black ops :)
        RandomCake
  • LMAO - This is awesome

    Just supports the "what goes around comes around" philosophy. I love it!
    ItsTheBottomLine
    • Still LMAO

      Agreed!
      nulubez
  • Karma is a b*tch

    Serves them right.
    Snooki_smoosh_smoosh
  • Go Figure!

    And these overrated cybiesthuggies thought they were so smart. What, that knock at the door? Hello, it's the HAMMER; you've been had--Budd!!
    eargasm
  • Dishonest or ignorant reporting...

    Which seems to be the norm for ZDnet.
    techadmin.cc@...
    • But the cat is out of the bag

      Even if it is just a hoax, the next one might not be ?????
      fierogt
    • Hurtn?

      Sounds like a sour grapes crminal doesn't like being on the receivnig end of hs own tripe here. gnorance is really widespread, heh?
      tom@...
    • Dishonest? Ignorant?

      @techadmin.cc@ - how is this dishonest reporting? Symantec did publish a report on the incident. The writer has not invented the article. The details of Symantec findings are represented in the article. Again the writer did not invent the information.
      The Article also links to various others sources showing the response in the Anon community - providing some balance for a reader to make up their own mind.

      Ignorant? Where's the ignorance in the story? Ignorant of what?
      SharkeyNZ
  • Honor amonst thieves....

    or dishonor.
    Interesting turn of events, I wonder how Anonymous handle this.
    phatkat
  • FUD

    How convenient. Fear, undercertainity and dread. Sounds like a republican created story to scare the masses. It's perfect for you because it's can't be debunked. But since it can't be proven either, it is not journalism. It's FUD.
    douglas_john_ledet@...
    • What? Your heroes are fallible!

      If I were a conspiracy theorist, it wouldn't surprise me that some government types wouldn't have a problem with throwing such a spanner in Anonymous's works.


      It seems clear that while the core members of Anonymous are covering their tracks well, they are enlisting a lot of people who are along for the ride, but lack the skills to protect themselves.

      It was not necessarily a 'true believer' Anonymous person who did this, but just another opportuninst or even criminal gang member. Not everyone who has the same enemies is your friend, as even the US found when they lay down with Al Qaeda against the Russians.

      Who says just because many are seeking to take part in the Anonymous activities, for whatever noble or nefarious reasons, they are not less suseptable to being hijacked as anyone else in mainstream computing land.

      Chaos is lurking everywhere, and unless someone is proactively preventing it, some selfish person will seek to take advantage of anybody not willing to take responsibility for themselves.
      Patanjali