Anonymous supporters fooled into downloading Zeus malware

Some supporters of the hacktivist group Anonymous joining recent attacks on the Justice Department and other websites apparently were fooled into downloading the Zeus botnet malware, which can steal their personal information, Symantec reported.

The deception started Jan. 20, a day after the FBI took down the file-sharing site Megaupload and charged seven of its principals with copyright violation, fraud and racketeering. Anonymous, in what it said was its largest operation to date, responded with attacks on the Justice, FBI and White House sites, along with those of several recording industry companies.

But supporters downloading the Slowloris denial-of-service tool to join in on the attacks were getting a Trojanized version of the tool that also contained Zeus, Symantec wrote in a blog post.

Related stories:

Anonymous lures unwitting users into online campaign

FBI's Megaupload bust, Anonymous' hacks underscore SOPA battle

An attacker modified a link on PasteBin, which is often used by Anonymous, so that it took users to the corrupted Slowloris tool. The tool would carry out the denial-of-service attack but could also steal online banking and Web mail credentials, Symantec said. The company said the PasteBin link had been viewed more than 26,000 times and its URL referred to in 470 tweets as of mid-February.

Users who download the tool also get a Zeus botnet client. Zeus was first identified in 2007, which it was used in an attack on the U.S. Transportation Department and since then Zeus botnets have struck in nearly 200 countries, with attacks on major banks and commercial organizations as well as government agencies such as NASA.

“Zeus is an advanced malware program that cannot be easily removed,” Symantec said.  And in addition to stealing credentials from users, it also is being used to force computers into taking part in denial-of-service attacks against Anonymous’ targets.

This isn’t the only attempt to dupe Anonymous supporters in connection with the January attacks. A researcher for Sophos reported on Jan. 20 that visitors to a malicious site could unwittingly join the attacks against the Justice website merely by clicking on a link.

Anonymous typically has asked supporters to download a copy of the Low Orbit Ion Cannon, an open-source tool that can be used in DDOS attacks. But in this case, links posted at contained JavaScript that, when clicked, would launch traffic to the Justice site, Sophos’ Graham Cluley wrote on Naked Security.

The attacks followed a flurry of activity related to online piracy. On Jan. 18, thousands of websites and blogs went dark in protest over two bills before Congress, the Stop Online Piracy Act (SOPA) in the House and the Protect Intellectual Property Act (PIPA) in the Senate, that opponents said threatened free speech, online commerce and legitimate sites in its efforts to curb piracy.

A day later, the FBI took down Megaupload, charging its leaders with pirating music, movies and other entertainment products, and prompting Anonymous attacks against DOJ, the FBI, the Recording Industry Association of America, Motion Picture Association of America, Universal Music and others.

Since the SOPA and PIPA protests, the bills have largely been abandoned. An international anti-piracy treaty, the Anti-Counterfeiting Trade Agreement, also has been slowed by protests in Europe.

But Anonymous attacks have continued. Last week, 25 alleged members of the group were arrested after an Interpol-led investigation into online attacks in Colombia and Chile.


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected