Vietnamese Speakers Targeted In Cyberattack

By now, you may have seen the Google blog post talking about the targeted attacks against the computers of Vietnamese speakers and others. The botnet, which McAfee identified while investigating Operation Aurora, has commandeered these computers in what appears to be a politically motivated attack. McAfee has been sharing the results of its investigation with Google as it unfolded.

Attackers created the botnet by targeting Vietnamese speakers with malware that was disguised as software that allows Windows to support the Vietnamese language. The keyboard driver known as VPSKeys is popular with Vietnamese Windows users and is needed to be able to insert accents at the appropriate locations when using Windows.  

The bot code masquerading as a keyboard driver finds its way onto computers that, once infected, join a botnet with command and control systems located around the globe that are accessed predominantly from IP addresses inside Vietnam.

We suspect the effort to create the botnet started in late 2009, coinciding by chance with the Operation Aurora attacks. While McAfee Labs identified the malware during our investigation into Operation Aurora, we believe the attacks are not related. The bot code is much less sophisticated than the Operation Aurora attacks.  It is common bot code that could use infected machines to launch distributed denial of service attacks, monitor activity on compromised systems and for other nefarious purposes.

We believe the attackers first compromised www.vps.org, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse.  The attackers then sent an e-mail to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead.

The rogue keyboard driver, dubbed W32/VulcanBot by McAfee, connected the infected machines to a network of compromised computers. During our investigation into the botnet we found about a dozen command and control systems for the network of hijacked PCs. The command and control servers were predominantly being accessed from IP addresses in Vietnam.

The Trojan installs the following malware on the infected system:

    * %UserDir%\Application Data\Java\jre6\bin\jucheck.exe

    * %UserDir%\Application Data\Java\jre6\bin\zf32.dll

   * %UserDir%\Application Data\Microsoft\Internet Explorer\Quick Launch\VPSKEYS 4.3.lnk

    * %RootDir%\Program Files\Adobe\AdobeUpdateManager.exe

    * %RootDir%\Program Files\Java\jre6\bin\jucheck.exe

    * %RootDir%\Program Files\Microsoft Office\Office11\OSA.exe

    * %SysDir%\mscommon.inf

    * %SysDir%\msconfig32.sys

    * %SysDir%\zf32.dll

    * %SysDir%\Setup\AdobeUpdateManager.exe

    * %SysDir%\Setup\jucheck.exe

    * %SysDir%\Setup\MPClient.exe

    * %SysDir%\Setup\MPSvc.exe

    * %SysDir%\Setup\OSA.exe

    * %SysDir%\Setup\wuauclt.exe

    * %SysDir%\Setup\zf32.dll

These files, when executed, initiate connections to the following domains:

    * google.homeunix.com

    * tyuqwer.dyndns.org

    * blogspot.blogsite.org

    * voanews.ath.cx

    * ymail.ath.cx

While originally some of these domains and files had been reported to be associated with Operation Aurora, we have since come to believe that this malware is unrelated to Aurora and uses a different set of Command & Control servers.

We believe that the perpetrators may have political motivations and may have some allegiance to the government of the Socialist Republic of Vietnam. The charter of the Vietnamese Professionals Society is to increase the knowledge and understanding of the social and economic conditions in the Southeast Asian country, according to Wikipedia.

McAfee added detection of the malware in January, around the same time we provided protection for Operation Aurora related malware.  The botnet is still active and attacks from the botnet continue today.

This incident underscores that not every attack is motivated by data theft or money. This is likely the latest example of hacktivism and politically motivated cyberattacks, which are on the rise and a topic we at McAfee have often discussed in our publications. In an excellent paper on Cybercrime and Hacktivism published this month, Researcher Francois Paget discusses the topic at length. It is also covered in our most recent Quarterly Threat Report.

As these events unfold, we will continue to keep you updated.  

You can follow McAfee CTO George Kurtz on Twitter