Hackers have duped supporters of the Anonymous
group into installing the Zeus botnet, which steals confidential
information from PCs, including banking usernames and passwords,
security researchers said last week.
According to Symantec,
someone modified a link to a popular distributed denial-of-service
(DDoS) attack tool to direct users to a Zeus bot Trojan instead.
The
replacement of a Zeus client for the "Slowloris" DDoS tool took place
on the day after Anonymous launched strikes against websites operated by
the U.S. Department of Justice, the Recording Industry Association of
America (RIAA), the Motion Picture Association of America (MPAA), and
others in retaliation for the arrest
of four men associated with the popular Megaupload "cyberlocker" site
on charges of copyright infringement, money laundering and racketeering.
In a post last Friday
to the Symantec security response team's blog, the firm described how
unknown hackers modified a message on PasteBin, changing the link to a
Trojanized version of Slowloris.
Anonymous supporters have, unwittingly or not, pointed others to
altered PasteBin message that includes the link to the Zeus bot. The
Twitter account "YourAnonNews," which has almost 550,000 followers, was
just one of many that tweeted a link to the altered PasteBin message,
said Symantec.
Through mid-February, Symantec had counted over
26,000 views of the PasteBin message and over 400 individual tweets
referencing its URL.
While the Trojanized Slowloris does conduct
DDoS attacks -- at times under the behest of the hackers who control the
botnet -- it also steals website cookies, login information for
financial institutions and other user account credentials from infected
PCs, then transmits the information to a command-and-control (C&C)
server.
"Not only will supporters be breaking the law by
participating in attacks on Anonymous hacktivism targets, but [they] may
also be at risk of having their online banking and email credentials
stolen," said Symantec.
The Zeus ploy wasn't the first time that Anonymous supporters have been tricked.
In
January, hard on the heels of the retaliatory attacks against the
Department of Justice website, U.K.-based security company Sophos said
members of Anonymous distributed links via Twitter and elsewhere that
when clicked automatically launched a Web version of LOIC, or Low Orbit
Ion Cannon, another DDoS tool.
Many of those messages said nothing about LOIC or that clicking the link shanghaied the user into the then-ongoing DDoS attack, said Sophos.
Authorities
have staged numerous arrests of Anonymous members and supporters on
charges that they participated in DDoS attacks against targets in the
U.S. and other countries.
Last week, an Interpol-organized sweep netted 25 suspected members of the hacking group in Argentina, Chile, Columbia and Spain.
