Thousands of Internet users downloading the Slowloris tool to participate in recent DoS attacks in support of the Anonymous protest movement could have infected themselves with the Zeus banking Trojan, Symantec has reported.
The attack appears to have started just after the FBI’s 20 January raid on Kim Schmitz’s Megaupload file sharing service on piracy charges, which led to a campaign in which outraged users were invited to attack industry and Federal sites using DIY DoS software such as Slowloris.
It now appears that an opportunistic criminal altered one of the download links to the tool inside a PasteBin ‘how guide’, pointing it to a server hosting a Trojanised version of the tool.
Compounding this, the infected link was unwittingly spread by users through Twitter, with 400 individual tweets including the link to add to the 26,000 people viewing the guide on Pastebin.
Any Windows user downloading the software would have been installing Zeus (aka Zbot) on their PC, after which a genuine version of Slowloris would have installed as a concealment tactic.
The Zeus variant detected not only records logins for any web service the users subsequently visits, but in theory will continue to attack targets antagonistic to Anonymous. How successful these attacks might be is anyone's guess - Slowloris is usually seen as a tool to launch attacks from Linux systems.
“Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen,” Symantec said.
“The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world.”
Probably the most famous use of the more technically-involved Slowloris was to attack Iranian Government servers at the time of the disputed election of 2009.