Malware, Vulnerability Management

Google turns up botnet targeting Vietnamese users

Computers from around the world are being targeted in a new malware campaign designed to silence Vietnamese political activists, according to Google and McAfee.

Both companies say they have detected a new global botnet consisting of potentially tens of thousands of compromised machines belonging to Vietnamese computer users, Neel Mehta of Google's security team said in a Tuesday blog post.

He said the PCs got infected when their owners installed trojans that were masquerading as legitimate Vietnamese keyboard drivers, used to allow Windows machines to support the Vietnamese language.

"While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes," Mehta said. "These infected machines have been used both to spy on their owners, as well as participate in distributed denial-of-service attacks against blogs containing messages of political dissent."

These attacks apparently were launched to mute critics of a controversial, government-approved plan permitting a Chinese company to mine bauxite in Vietnam's Central Highlands region. Bauxite is an essential ingredient in making aluminum, which China needs for energy.

Protesters argue that the mining work creates an environmental hazard and, perhaps more importantly, threatens Vietnam's independence and security, given the large number of Chinese workers entering the country.

"We believe that malware is a general threat to the internet, but it is especially harmful when it is used to suppress opinions of dissent," Mehta said.

Researchers believe the attack initially was spread when the website for the Vietnamese Professionals Society (VPS) was compromised to replace a legitimate keyboard driver download on the site with a trojan. Then, the hackers delivered emails to "targeted individuals" that contained a link to the malicious driver, dubbed W32/VulcanBot, George Kurtz, McAfee's CTO, said in a blog post.

A number listed on the VPS website was disconnected, and an email seeking comment could not be delivered.

McAfee discovered the botnet is run by roughly a dozen command-and-control servers that were being accessed from IP addresses in Vietnam, Kurtz said. Researchers believe that those responsible may have links to the Vietnamese government.

McAfee learned of the new threat during its investigation into Operation Aurora. In that case, some Gmail accounts belonging to Chinese human rights activists were targeted. However, Kurtz said he does not believe the latest botnet is related to the malware used in Operation Aurora.

"The bot code is much less sophisticated than the Operation Aurora attacks," he said. "It is common bot code that could use infected systems to launch distributed denial-of-service attacks, monitor activity on compromised systems and for other nefarious purposes."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.