Vietnamese Malware unrelated to Aurora
by Steve Ragan - Mar 31 2010, 11:27On Tuesday, Google reported the discovery of another attack aimed at human rights activists, one completely unrelated to the previous attacks that allegedly originated from China. This new, but less sophisticated, attack was aimed at Vietnamese dissents.
The Malware mentioned in Google Security Team member Neel Mehta’s post is said to have originated as a keyboard driver allowing support for the Vietnamese language on Windows. The driver, once installed, would then connect to a Command & Control server where it could be used for any number of tasks.
Essentially, the infected systems were bots used to launch Denial of Service attacks on blogs containing messages of political dissent. Specifically “these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country,” Mehta wrote.
In a related story, McAfee said that the Vietnamese Malware was listed with early reports from the company related to Operation Aurora, the name given to the attacks against Google that allegedly originated in China.
“We suspect the effort to create the botnet started in late 2009, coinciding by chance with the Operation Aurora attacks. While McAfee Labs identified the Malware during our investigation into Operation Aurora, we believe the attacks are not related,” George Kurtz, McAfee’s CTO said in a company blog.
According to Kurtz, some of the domains McAfee flagged as part of the Aurora attack were actually related to the Vietnamese botnet. In his post he noted that the botnet code itself is common, and less sophisticated than the code used in Aurora.
If there was commonality between the attacks, it is that both of them have political motivations, Kurtz said, and McAfee feels that the operators of the botnet itself “have some allegiance to the government of the Socialist Republic of Vietnam.”
This allegation is based on the keyboard driver itself, which was available for download from the Vietnamese Professionals Society (VPS). Founded in 1990, the Vietnamese Professionals Society is a group that promotes awareness for social and economic conditions in Vietnam. Naturally, the Communist Party of Vietnam doesn’t like this.
McAfee thinks that the attackers compromised the VPS site, replacing the legit keyboard driver with Malware, so that they could track those downloading it.
Early media reports say that McAfee helped confuse the security world by mistakenly identifying the Vietnamese Malware in connection with Aurora. Adding to this are the secondary reports that came from various security vendors addressing the attacks, which relied on McAfee’s research and reports.
While that could be the case for some, for the security community overall, the mix-up caused no issues.
This is because Aurora is nothing more than an attack on a large company, something that is attempted countless times each day the world over. Those charged with defending their networks take reports from security vendors with a grain of salt, and rarely use them as a single source of threat assessment.
If anything, McAfee’s mix-up shows that Malware is the real persistent threat. Not an Advanced Persistent Threat, just a threat that security teams are forced to deal with daily.
You can read the original reports on the Google Blog and the McAfee Blog.
Comment on this Story