Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen. Example of decrypted POST data sent from the Zeus client to the C&C domain for a) cookie data being sent to the server, b) credentials sent to the server after stealing an online banking username and password, and c) stolen webmail account credentials. Below are examples of decrypted POST messages sending a cookie, financial credentials, and webmail credentials to the C&C server: Commands are given to the botnet clients to execute Slowloris and attack Anonymous hacktivism targets.Ĭommunication to the command-and-control (C&C) server is achieved through HTTP POST messages. Cookies, online banking credentials, and webmail credentials are sent to the server from the infected machines. Observed usage of the installed Zeus clients in the Anonymous Slowloris attack. This usage is summarized in the figure below:įigure 6.
Additionally, the botnet is being used to force participation in DoS attacks against Web pages known to be targets of Anonymous hacktivism campaigns. The Zeus client is being actively used to record and send financial banking credentials and webmail credentials to the botnet operator. Zeus is an advanced malware program that cannot be easily removed. After installation of the Zeus botnet client, the malware dropper attempts to conceal the infection by replacing itself with the real Slowloris DoS tool. When the Trojanized Slowloris tool is downloaded and executed by an Anonymous supporter, a Zeus (also known as Zbot) botnet client is installed. Flow of events as the hacker specifically targeted the Anonymous group with the Trojanized Slowloris download. Twitter search results on February 15th, 2012 for references to the Anonymous DoS guide PasteBin post with Trojanized Slowloris.įigure 5. Supporters still refer to this PasteBin guide post as “Tools of the DDos trade” and “Idiot’s Guide to Be Anonymous,” seen below:įigure 4. The PasteBin including the Trojanized Slowloris link is still being commonly linked to in new Tweets to-date. Attack timeline from the start of the Megaupload raid. The following is a timeline of the tweets with related hacktivism causes highlighted:įigure 3. This Anonymous DoS tool on PasteBin has become quite popular among the Anonymous movement with more than 26,000 views and 400 tweets referring to the post. The Slowloris link was copied from the deceptive post earlier in the day. Anonymous DoS guide with copied Trojanized Slowloris link. Slowloris was included in this list of tools-the Trojanized version copied from the modified guide:įigure 2. Later that same day, a separate Anonymous DoS guide was posted on PasteBin which included links to various DoS tools. a) Legitimate Slowloris post from May 2011 Anonymous campaign, and b) trojanized PasteBin post for the deception of Anonymous members.
ANONYMOUS DDOS ATTACK TOOL DOWNLOAD DOWNLOAD
In this modified version, the attacker changed the download link to a Trojanized version of the Slowloris tool with matching text:įigure 1.
An attacker took a popular PasteBin guide, used by Anonymous members for downloading and using the DoS tool Slowloris, and modified it. The deception of Anonymous supporters began on January 20, 2012, the day of the FBI Megaupload raid. It also steals the users' online banking credentials, webmail credentials, and cookies. The Zeus client does perform DoS attacks, but it doesn’t stop there. In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. In these DDoS attacks, supporters using the Low Orbit Ion Cannon denial-of-service (DoS) tool would voluntarily include their computer in a botnet for attacks in support of Anonymous. In 2011, dozens of Anonymous members who participated in distributed denial-of-service (DDoS) attacks in support of Anonymous hacktivism causes were arrested.
0 kommentar(er)
