• United States



by John E Dunn

Anonymous Supporters Tricked Into Installing Zeus Trojan

Mar 06, 20122 mins
Consumer ElectronicsData and Information SecuritySecurity

Slowloris Pastebin guide included malicious link

Thousands of Internet users downloading the Slowloris tool to participate in recent DoS attacks in support of the Anonymous protest movement could have infected themselves with the Zeus banking Trojan, Symantec has reported.

The attack appears to have started just after the FBI’s 20 January raid on Kim Schmitz’s Megaupload file sharing service on piracy charges, which led to a campaign in which outraged users were invited to attack industry and Federal sites using DIY DoS software such as Slowloris.

It now appears that an opportunistic criminal altered one of the download links to the tool inside a PasteBin ‘how guide’, pointing it to a server hosting a Trojanised version of the tool.

Compounding this, the infected link was unwittingly spread by users through Twitter, with 400 individual tweets including the link to add to the 26,000 people viewing the guide on Pastebin.

Any Windows user downloading the software would have been installing Zeus (aka Zbot) on their PC, after which a genuine version of Slowloris would have installed as a concealment tactic.

The Zeus variant detected not only records logins for any web service the users subsequently visits, but in theory will continue to attack targets antagonistic to Anonymous. How successful these attacks might be is anyone’s guess – Slowloris is usually seen as a tool to launch attacks from Linux systems.

“Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen,” Symantec said.

“The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world.”

The fashion for using non-technical DDoS tools to support global Internet causes goes back to late 2010 when Anonymous sympathisers were invited to download the JavaScript Low Orbit Ion Cannon (LOIC) to launch web attacks in support of Wikileaks and its founder, Julian Assange.

Probably the most famous use of the more technically-involved Slowloris was to attack Iranian Government servers at the time of the disputed election of 2009.