In a blog last week, Symantec said that some Anonymous supporters who downloaded a modified Slowloris DDoS tool to attack the FBI and other organizations following the agency’s raid on Megaupload also downloaded a Zeus trojan that steals banking and webmail credentials.
“When the Trojanized Slowloris tool is downloaded and executed by an Anonymous supporter, a Zeus (also known as Zbot) botnet client is installed. After installation of the Zeus botnet client, the malware dropper attempts to conceal the infection by replacing itself with the real Slowloris DoS tool”, Symantec explained.
“The Zeus client is being actively used to record and send financial banking credentials and webmail credentials to the botnet operator. Additionally, the botnet is being used to force participation in DoS attacks against Web pages known to be targets of Anonymous hacktivism campaigns”, the security company added.
“Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen. The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world”, the blog concluded.
However, an Anonymous tweet challenged the Symantec analysis, charging that the claim was “wrong and libelous.” The tweet did not provide any information refuting the Symantec analysis.