Anonymous Members Hit By Zeus Botnet Scam

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

Symantec has highlighted a scam that tricked Anonymous users into infecting themselves with the Zeus Trojan

Members of the hacktivist collective Anonymous have themselves been targeted by attackers, who tricked them into installing Zeus botnet code on their systems, according to Symantec.

In a report last week Symantec described how attackers directed Anonymous members toward code that had been Trojanised with Zeus client software. Users who believed they were voluntarily joining an Anonymous botnet in order to support the group’s denial-of-service attacks also joined the Zeus botnet.

Zeus botnet

“Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks,” Symantec stated. “The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users’ online banking credentials, webmail credentials, and cookies.”

Ironically, the incident meant that Anonymous’ supporters were themselves exposed to danger, the report found.

“Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen,” Symantec said in the report. “The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world.”

The attack began on 20 January, when a guide posted on PasteBin for the use of Anonymous members was modified to include a link to the Trojanised code.

Users who thought they were downloading Slowloris, a denial-of-service attack tool, received a version of the tool with a Zeus client concealed within.

Link spreads

A second Anonymous guide on PasteBin was also modified to include a link to the Trojanised code, Symantec said.

Since January, the security company found that the Trojanised link has spread quickly through the Anonymous community, with more than 26,000 views of the PasteBin page and 400 tweets referring to the post.

However, Anonymous members themselves have responded that in some cases those tweets were warning of the compromised link rather than recommending it.

“Dear @Symantec – @YourAnonNews NEVER posted the DDOS hijacker nor did we attempt to trick people; instead we WARNED of it,” a user on the Twitter feed YourAnonNews wrote following the Symantec report.

“This post from @Symantec about @YourAnonNews’s spreading the DDOS hijacking trojan is wrong & libelous to say the least,” another user wrote on the same Twitter feed.


Last month, law enforcement officers working in Spain, Argentina, Chile and Columbia arrested 25 individuals believed to be connected with Anonymous. The international ‘Operation Unmask’ was launched by Interpol in February following attacks on Chile’s Endesa electricity company, its National Library, and Columbia’s Ministry of Defence and presidential sites, among others.

Earlier in February a number of Greek government websites were taken down the collective in solidarity with the Greek protesters who oppose the government’s austerity measures. Among the sites to be attacked were those the of the Greek prime minister, the national police and the Ministry of Finance.

Are you smarter than Anoymous? Try our security quiz and find out!