New DDoS Trojan used for downing dissident sites
A new DDoS Trojan connected with a slew of attacks against Vietnamese blogs has been discovered by SecureWorks.
Dubbed Vecebot, the Trojan drops three files into the ProgramFiles\Common Files\Windows Update Components folder, and then it calls for its remote configuration file, which contains instructions for launching denial-of-service attacks. It also has some basic CAPTCHA-breaking capabilities.
A deeper analysis of the data from one of the victims’ systems indicates that a botnet was created using the Trojan and that it consists of somewhere between 10,000 and 20,000 infected computers – the great majority of which are located in Vietnam, and are blogs and forums where people are criticizing the leading Vietnamese Communist Party and contain information about the bauxite mining operations being carried out in the country by China.
Even if there is no hard evidence to suggest these attacks have been arranged by the Vietnamese government, there is some that suggests the involvement of a pro-communist hacking group. “The timing of these newest attacks is also interesting,” it says in the blog post. “On October, 19, 2010, a Vietnamese blogger who wrote pseudonymously under the name “Dieu Cay” was due to end a 30-month prison sentence for tax evasion, which most critics of the Vietnamese government believed to be a thinly-veiled retribution for his outspoken political blogging.”
“In the past, we typically saw Distributed Denial of Service (DDoS) attacks launched at the governments of countries located in Eastern Europe, such as those we witnessed against Georgia, Estonia and Kyrgyzstan,” says Joe Stewart, Director of Malware Analysis for the SecureWorks’ Counter Threat Unit research team. “More recently, we saw a slew of DDoS attacks directed at government and private sites in South Korea and the US. With the current cyber activity in Vietnam, and as well as a group of separate assaults we are tracking against political sites in Brazil, we feel that we will definitely see more of these politically motivated cyber attacks in the future.”