Google turns up botnet targeting Vietnamese users

Share this article:

Computers from around the world are being targeted in a new malware campaign designed to silence Vietnamese political activists, according to Google and McAfee.

Both companies say they have detected a new global botnet consisting of potentially tens of thousands of compromised machines belonging to Vietnamese computer users, Neel Mehta of Google's security team said in a Tuesday blog post.

He said the PCs got infected when their owners installed trojans that were masquerading as legitimate Vietnamese keyboard drivers, used to allow Windows machines to support the Vietnamese language.

"While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes," Mehta said. "These infected machines have been used both to spy on their owners, as well as participate in distributed denial-of-service attacks against blogs containing messages of political dissent."

These attacks apparently were launched to mute critics of a controversial, government-approved plan permitting a Chinese company to mine bauxite in Vietnam's Central Highlands region. Bauxite is an essential ingredient in making aluminum, which China needs for energy.

Protesters argue that the mining work creates an environmental hazard and, perhaps more importantly, threatens Vietnam's independence and security, given the large number of Chinese workers entering the country.

"We believe that malware is a general threat to the internet, but it is especially harmful when it is used to suppress opinions of dissent," Mehta said.

Researchers believe the attack initially was spread when the website for the Vietnamese Professionals Society (VPS) was compromised to replace a legitimate keyboard driver download on the site with a trojan. Then, the hackers delivered emails to "targeted individuals" that contained a link to the malicious driver, dubbed W32/VulcanBot, George Kurtz, McAfee's CTO, said in a blog post.

A number listed on the VPS website was disconnected, and an email seeking comment could not be delivered.

McAfee discovered the botnet is run by roughly a dozen command-and-control servers that were being accessed from IP addresses in Vietnam, Kurtz said. Researchers believe that those responsible may have links to the Vietnamese government.

McAfee learned of the new threat during its investigation into Operation Aurora. In that case, some Gmail accounts belonging to Chinese human rights activists were targeted. However, Kurtz said he does not believe the latest botnet is related to the malware used in Operation Aurora.

"The bot code is much less sophisticated than the Operation Aurora attacks," he said. "It is common bot code that could use infected systems to launch distributed denial-of-service attacks, monitor activity on compromised systems and for other nefarious purposes."

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Company news: New hires at Accuvant, ZeroFox and ThreatStream

New hires at Accuvant, ZeroFOX and ThreatStream, while a divestiture at Juniper and an acquisition for BlackBerry.

News briefs: The latest on Sony, Android, Backoff malware and more.

News briefs: The latest on Sony, Android, Backoff ...

This month's news briefs cover a preliminary settlement Sony will bear for the exposure of 77 million customers, and more.

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.