Security researchers at Symantec discovered that following the MegaUpload raid on January 20th, an unknown attacker copied the text from a guide Anonymous shared with their followers to download and use a DoS tool named Slowloris, swapped out the download link and re-posted it on PasteBin.
The modified Slowloris link pointed toward a tainted version of the DoS attack tool that contained the infamous ZeuS/Zbot Trojan, which is best-known for its ability to steal online banking information.
On the very same day that the attacker posted the modified guide, a separate Anonymous DoS guide containing links to a variety of DoS tools was posted on PasteBin. The new guide also contained the tainted Slowloris download link.
According to Symantec, the new guide – commonly referred to as “Tools of the DDoS trade” and “Idiot’s Guide to be Anonymous” – is quite popular among the Anonymous movement and has more than 26,000 page views and 400+ tweets related to it on Twitter.
Timeline Credit: Symantec
What happens when an Anonymous supporter downloads the Trojanized copy of Slowloris?
“When the Trojanized Slowloris tool is downloaded and executed by an Anonymous supporter, a Zeus (also known as Zbot) botnet client is installed.” Symantec explained, “After installation of the Zeus botnet client, the malware dropper attempts to conceal the infection by replacing itself with the real Slowloris DoS tool.”
So, as the user willingly participated in DDoS attacks against Anonymous targets, they also had all of their confidential login information recorded and uploaded to a remote server.
Remember, folks, it is illegal to participate in a DDoS attack, no matter what the cause! Keep your PC – and the information stored on it – safe by steering clear of these attack programs, making sure your OS is updated and running antivirus software.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.