Mere hours after the Megaupload raid and the arrest of its operators, an unknown individual copied and pasted a original Anonymous Pastebin entry offering the actual tool and replaced the download link with a Trojanized version.
"Later that same day, a separate Anonymous DoS guide was posted on Pastebin which included links to various DoS tools. Slowloris was included in this list of tools—the Trojanized version copied from the modified guide," Symantec researchers pointed out.
This last post went viral among Anonymous supporters (click on the screenshot to enlarge it):
And a link to the guide is still being reposted regularly on Twitter.
Once downloaded, installed and run, the Trojanized Slowloris version drops the Zeus botnet client and begins collecting and sending credentials and cookies to the crook's C&C server. In addition to all this, the botnet orders the Slowloris tool on the infected user's computer to attack Anonymous targets, and the illusion is complete.
The user is now doubly endangered. "Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen," the researchers say.
Speculating on whether a "high-rank" Anonymous member is behind the scheme seems impossible given the nature of the hacker group.