McAfee has warned of an attack that hit Vietnamese computers to create a botnet in what appears to be a politically motivated attack.
George Kurtz, CTO at McAfee, claimed that attackers created the botnet by targeting Vietnamese speakers with malware that was disguised as software that allows Windows to support the Vietnamese language. The keyboard driver, known as VPSKeys, is popular with Vietnamese Windows users and is needed to be able to insert accents at the appropriate locations when using Windows.
McAfee suspected that efforts to create the botnet started in late 2009, coinciding by chance with the Operation Aurora attacks, although it believes that the attacks are not related as the bot code is much less sophisticated than the Operation Aurora attacks.
Kurtz said: “We believe the attackers first compromised the website of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse. The attackers then sent an email to targeted individuals which pointed them back to the VPS website, where they downloaded the Trojan instead.
“The rogue keyboard driver, dubbed W32/VulcanBot, connected the infected machines to a network of compromised computers. During our investigation into the botnet we found about a dozen command and control systems for the network of hijacked PCs. The command and control servers were predominantly being accessed from IP addresses in Vietnam.
“It is common bot code that could use infected machines to launch distributed denial-of-service attacks, monitor activity on compromised systems and for other nefarious purposes.”
He believed that the perpetrators may have political motivations and may have some allegiance to the government of the Socialist Republic of Vietnam. “This incident underscores that not every attack is motivated by data theft or money. This is likely the latest example of 'hacktivism' and politically motivated cyber attacks,” said Kurtz.
Symantec Security Response also warned of a piece of the attack, classifying the malware as Trojan.Dosvine. It compared it to Trojan.Dozer, which attempted to perform a DDoS attack against a number of strategic sites in North Korea last year.
Symantec's Patrick Fitzgerald said: “Hijacking the update mechanism is an interesting technique, but what's more interesting is that this technique is being used in this attack. Our telemetry shows that Vietnamese websites are the targets in this attack, and shows that outside of Vietnam there seems to be a correlation to the relative sizes of the Vietnamese communities in those countries.”