Anonymous Tricked Into Downloading Trojan
Anonymous may be most known for their DDoS attacks on company and government Web sites. It turns out, however, that those DDoS attacks may not have been all that safe for the Anon members partcipating.
The Symantec blog recently detailed how Anonymous members were tricked into downloading a Trojan infected version of Anonymous’ DDoS tool, the Low Orbit Ion Cannon. The Zeus botnet users downloaded steals their online banking and email credentials alongside their cookies.
The infection deception apparently began on the day MegaUpload was taken down by the authorities. This is when Anonymous jumped into action and began #OpMegaUpload. There were reports then that users were tricked into launching DDoS attacks against their will.
The Trojan was a bit different, however, in that somebody switched out a link in a guide for DDoS attacks on PasteBin. The first link was to Mediafire, but a second post on the day of #OpMegaUpload led to a multiupload file that featured a larger client that contained the virus.
It began to spread from there with a another user guide to DDoS including a link to the Trojan infected version of the DDoS tool Slowloris.
What followed was a social media spread that saw 470 tweets all linking to the infected tool. There were probably many more people sharing the two guides containing the infected tool beyond just what was seen on Twitter.
When Anonymous members downloaded the Slowrolis tool, they became infected with the Zeus botnet Trojan. The virus sticks to its profession as a Trojan by pretending to be the Slowrolis tool. While it does perform the DDoS attack as expected, it also, as explained above, sends the users financial banking credentials to the operator of the botnet.
Symantec, while reiterating that DDoS attacks are illegal, says they aren’t the only threat anymore.
The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world.
Anonymous is now aware of the trojan and is urging its members to exercise caution.