The Register® — Biting the hand that feeds IT

Feeds

Google frets over Vietnam hacktivist botnet

Not Aurora, still a pain

By John Leyden, 31st March 2010
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Hackers used malware to establish a botnet in Vietnam as part of an apparently politically motivated attack with loose ties to the Operation Aurora attacks that hit Google and many other blue chip firms late last year, according to new research from McAfee and Google.

Unknown miscreants used malware disguised as Vietnamese language support software to create a botnet. The malware masqueraded as a VPSKeys keyboard driver software and was discovered in computers inside a subset of the organisations hit by Aurora. Infected systems were controlled by command and control systems accessed predominantly from IP addresses inside Vietnam.

In a blog posting, Google said that the compromised machines were used in politically motivated attacks.

These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent. Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.

Google draws parallels with the Vietnam botnet and operation Aurora attacks, which in part involved the attempted surveillance of Gmail accounts belonging to Chinese human rights activists. The targeted attacks associated with Aurora involved IE 6 exploits and were chiefly aimed at snaffling intellectual property from Google and others.

McAfee reckons efforts to create a botnet in Vietnam probably started in late 2009 at around the same time as the Operation Aurora attacks, but are otherwise unrelated to cyber-espionage attacks on Google and other high-tech firms. "While McAfee Labs identified the malware during our investigation into Operation Aurora, we believe the attacks are not related. The bot code is much less sophisticated than the Operation Aurora attacks," McAfee said.

"Attackers first compromised vps.org, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse.  The attackers then sent an e-mail to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead."

McAfee classifies the Trojan as Vulcanbot.

Systems infected by the Trojan "phone home" for instructions to a number of domains initially thought to be associated with Operation Aurora; subsequent research debunked this theory. "We have since come to believe that this malware is unrelated to Aurora and uses a different set of Command & Control servers," McAfee reports.

The botnet established by vulcanbot remains active and launching attacks.

McAfee reckons the perpetrators of the attacks are politically motivated and aligned to the Socialist Republic of Vietnam (ie the government). ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (2)
Latest Comments
Anonymous Coward

Oh no, Spock's gone gunnysack

"McAfee classifies the Trojan as Vulcanbot."

That is all.

0
0
Peter Murphy

On Vietnamese software and Vietnamese trojans.

As someone who types Vietnamese, I've never used VPSKey - the application associated with the trojan. I use UniKey. It's free and (better still) it's open source. My wife uses it, and so do many of her friends.

And while I have little love for the Socialist Republic of 'Nam, I'm a little surprised it is playing hardball with botnets. China is an emerging economic superpower - hard to push around. Việt Nam is a lower-middle class economy that depends heavily on exports. I believe it would be susceptible to a boycott. Most of the mediocrities running the country seem to have only two goals at this point: keeping power, and growing their GDP at increasing rates until they think of something better. Botnets don't really assist with the first aim, and they could put the second into jeopardy.

However, I have heard that their Internal Security is under increasing influence from the Chinese government. So perhaps it is Beijing rather than Hà Nội who is pushing the idea of a very Vietnamese botnet.

In my opinion, it's a shame. Most Vietnamese on the street don't like nor trust the Chinese government. After all, the last time they had a war was in 1979. Nor would they love the idea of trojans infecting Western computers. Due to the wave of boat people in the 70s and 80s, many Vietnamese live out of the country - in places like Melbourne, Houston, Montreal and Paris.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
133
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15