Anonymous supporters tricked into installing Zeus Trojan
Symantec has published a report saying that, from around 20 January 2012, a popular guide on Pastebin on how to take part in Anonymous denial of service attacks was duplicated and then modified to point to a version of the Slowloris DDoS tool that included the Zeus trojan. Anyone downloading this modified version would find their system taking part in the Anonymous DDoS, but the command and control was coming from a hacker's C&C server which was passing on commands for DoS attacks while the trojan was sending back any banking details, cookies or webmail credentials it could find.
The next day, a separate guide to DDoS tools appeared on Pastebin which referenced the download link for the trojanised Slowloris. Symantec says that the URL to the tutorial was then posted in a message on Twitter, and in its timeline of events says that the link was tweeted by @youranonnews, a well known outlet for Anonymous news and announcements with over half a million followers.
It is this claim that @youranonnews is calling "wrong & libellous" and said it "NEVER posted the DDOS hijacker nor did we attempt to trick people; instead we WARNED of it". Archives show the URL was apparently tweeted by @youranonnews and not in the form of a warning – dated 22 January it read:
#OpMegaUpload materials. http://pastebin.com/tw******
#Anonymous #Antisec via: @BarrettBrownLOL
but the original message on Twitter appears to have been deleted.
Whatever happened, the incident should serve as a reminder that users should only download and install software from sources they trust. And that a, quite literally, anonymous post on Pastebin pointing to an anonymous file sharing service is the definition of what is not a trusted source.
(djwm)