Cybercriminals recently modified a distributed denial-of-service tool (DDOS) called Slowloris to include a client for Zeus, a well-known piece of malware that steals logins and passwords for banking websites. They then targeted it at Anonymous supporters, according to a Symantec blog post.
Anonymous is well-known for its anti-government and anti-corporate campaigns, which aim to expose sensitive data through hacking or irritating organizations by jamming their websites with an overwhelming amount of traffic.
The group often depends on corralling support from Internet users around the world and recommends DDOS tools for people to download. In May 2011 on the Pastebin clipboard website, Anonymous encouraged supporters to download a DDOS tool called Slowloris. The posting was widely circulated around the Internet on sites such as Twitter.
But Symantec discovered that Zeus cybercriminals copied the post word for word and reposted it again on Jan. 20. This time, however, the link to the Slowloris DDOS tool actually lead to a modified, malicious version of Slowloris. It was reposted on the same day that the Megaupload file-sharing site was taken down by law enforcement agencies in several countries and Anonymous launched a campaign in its defense.
The link to the malicious version of Slowloris also appeared in another version guide to executing DDOS attacks that Anonymous published, which also made the rounds on Twitter, Symantec said.
Symantec found that if a victim downloads and executes the modified Slowloris tool, the malware then tries to conceal the infection by downloading the real Slowloris application.
In addition to stealing the victim's financial details, e-mail credentials and cookies, the person who controls the infected machine then conducts DDOS attacks against Web pages in support of Anonymous.
"Not only will supporters be breaking the law by participating in DOS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen," Symantec wrote.