Video Screencast Help
Security Response

Anonymous Supporters Tricked into Installing Zeus Trojan

Created: 01 Mar 2012 18:52:09 GMT • Updated: 23 Jan 2014 18:17:08 GMT • Translations available: 日本語
Symantec Security Response's picture
+6 6 Votes
Login to vote

In 2011, dozens of Anonymous members who participated in distributed denial-of-service (DDoS) attacks in support of Anonymous hacktivism causes were arrested. In these DDoS attacks, supporters using the Low Orbit Ion Cannon denial-of-service (DoS) tool would voluntarily include their computer in a botnet for attacks in support of Anonymous. In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users' online banking credentials, webmail credentials, and cookies.

The deception of Anonymous supporters began on January 20, 2012, the day of the FBI Megaupload raid. An attacker took a popular PasteBin guide, used by Anonymous members for downloading and using the DoS tool Slowloris, and modified it. In this modified version, the attacker changed the download link to a Trojanized version of the Slowloris tool with matching text:
 

Figure 1. a) Legitimate Slowloris post from May 2011 Anonymous campaign, and b) trojanized PasteBin post for the deception of Anonymous members.

Later that same day, a separate Anonymous DoS guide was posted on PasteBin which included links to various DoS tools. Slowloris was included in this list of tools—the Trojanized version copied from the modified guide:
 

Figure 2. Anonymous DoS guide with copied Trojanized Slowloris link. The Slowloris link was copied from the deceptive post earlier in the day.

This Anonymous DoS tool on PasteBin has become quite popular among the Anonymous movement with more than 26,000 views and 400 tweets referring to the post. The following is a timeline of the tweets with related hacktivism causes highlighted:
 

Figure 3. Attack timeline from the start of the Megaupload raid. The PasteBin including the Trojanized Slowloris link is still being commonly linked to in new Tweets to-date.
 

Supporters still refer to this PasteBin guide post as “Tools of the DDos trade” and “Idiot’s Guide to Be Anonymous,” seen below:
 

Figure 4. Twitter search results on February 15th, 2012 for references to the Anonymous DoS guide PasteBin post with Trojanized Slowloris.

 

Figure 5. Flow of events as the hacker specifically targeted the Anonymous group with the Trojanized Slowloris download.
 

When the Trojanized Slowloris tool is downloaded and executed by an Anonymous supporter, a Zeus (also known as Zbot) botnet client is installed. After installation of the Zeus botnet client, the malware dropper attempts to conceal the infection by replacing itself with the real Slowloris DoS tool. Zeus is an advanced malware program that cannot be easily removed. The Zeus client is being actively used to record and send financial banking credentials and webmail credentials to the botnet operator. Additionally, the botnet is being used to force participation in DoS attacks against Web pages known to be targets of Anonymous hacktivism campaigns. This usage is summarized in the figure below:
 

Figure 6. Observed usage of the installed Zeus clients in the Anonymous Slowloris attack. Cookies, online banking credentials, and webmail credentials are sent to the server from the infected machines. Commands are given to the botnet clients to execute Slowloris and attack Anonymous hacktivism targets.
 

Communication to the command-and-control (C&C) server is achieved through HTTP POST messages. Below are examples of decrypted POST messages sending a cookie, financial credentials, and webmail credentials to the C&C server:
 

Table 1. Example of decrypted POST data sent from the Zeus client to the C&C domain for a) cookie data being sent to the server, b) credentials sent to the server after stealing an online banking username and password, and c) stolen webmail account credentials.
 

Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen. The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world. We will continue to watch for new developments.