Anonymous Downplays Zeus Trojan Hacking as Symantec Reveals Own Supporters Duped

Anonymous has taken to Twitter to downplay the incident and to warn users after Symantec released a report claiming that anti-Anonymous hackers had duped the hactivist collective into adding Zeus Trojan malware to a guide for DDoS attacks.

The move may have been in retaliation for Anonymous' attacks on web sites FBI, the Department of Justice and other sites the day after Megaupload founder Kim Dotcom was arrested by the FBI.

'Hope you like your medicine!'

According to Symantec, someone modified a link to popular distributed denial-of-service (DDoS) attack tool Slowloris, used to to flood websites with open connections and ultimately knock them offline, with a Trojanized version of the tool with matching text.

The link, inserted into a popular, Anonymous-affiliated PasteBin guide for DDoS, contains a Zeus botnet client. The malware not only carries out the DDoS attack, but also steals confidential information from PCs, including banking information, webmail logins and cookies that are then sent on to an unknown command-and-control (C&C) server.

According to MSNBC.com Security Reporter Matt Liebowitz, the anti-hackvist hacker added the malware to the Slowloris tool on Jan. 20, one day after an FBI sting on file-sharing site Megaupload.

That raid prompted retaliatory attacks by Anonymous against the FBI, the U.S. Department of Justice, the U.S. Copyright Office and entertainment giants like the Universal Music and the Motion Picture Association of America.

You feel censored yet? We sincerely hope you like your own medicine! members of the hacker collective posted in a comment directed at the FBI.

Symantec Warns Anonymous Of Hacking

That same medicine has now been served back to Anonymous supporters.

In a post last Friday to the Symantec security response team's blog, the firm described how unknown hackers probably modified the message on PasteBin, changing the link to a malware version of Slowloris.

The file size of the original, unaltered version of Slowloris was listed at 58kb. The modified version, containing the Zeus Trojan, is listed at 508 kb in size.

In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DDoS attacks, the software company warned.

Through mid-February, Symantec had counted over 26,000 views of the PasteBin message and over 400 individual tweets referencing its URL.

Unknowing supporters are still recommending the PasteBin guide, malware attached, as Tools of the DDos trade and Idiot's Guide to Be Anonymous.

Not only will supporters be breaking the law by participating in attacks on Anonymous hacktivism targets, but [they] may also be at risk of having their online banking and email credentials stolen, Symantec researchers wrote.

Anonymous Responds

Since news of the Zeus Trojan broke, Twitters accounts affiliated with Anonymous have been flooded with messages by those affiliated with the hacktivist collective.

The majority of them, however, have been dedicated not to warning supporters but to accusing Symantec of misrepresenting the hacking, if it even occurred in the first place.

AnonymousIRC, which has over 250,000 followers, did tweet out a warning this morning.

#Anonymous supporters tricked into installing Zeus Trojan, the Twitter post read. This MUSTN'T happen. Be careful what you post & click on!

YourAnonNews, however, which has almost 550,000 followers, hotly denied that its Anonymous-affiliated Twitter handle had been helping to spread the DDoS Trojan, calling the claim wrong and libelous to say the least.

Dear @Symantec - @YourAnonNews NEVER posted the DDOS hijacker nor did we attempt to trick people; instead we WARNED of it, another Twitter post read.

Yet another tweet by YourAnonNews mocked the company for the fact that it itself had been hacked in the past, alluding to an incident in early Ferbuary when Anonymous-affiliated hackers released a portion of Symantec's source code.

Also, @Symantec - maybe if you paid attention to more details and did proper due diligence, your source code wouldn't have been stolen, the tweet read. SMH.

'Anyone Can Partake.'

AnonOps, which has nearly 300,000 followers, has yet to tweet anything about the report.

It did, however, retweet this message from CNET: Did Anonymous itself get hacked? Symantec says yes. But Anonymous begs to differ.

YourAnonNews, meanwhile, posted another message on Twitter on Sunday, with a warning to both those who plan to write about Anonymous and to their current supporters.

Let's set a few things straight here, the Twitter post read. If you want to join #Anonymous (and we get asked a lot how to do it), know this: anyone can partake.