Vietnam & Aurora



[UPDATE: See “Vecebot Trojan Analysis” by SecureWorks.]

A while back I wrote a post about “Aurora Mess” in which I tried, unsuccessfully, to make sense of the different assessments of the attacks on Google and at least 20 other companies within the security community. I was trying to grapple with the way in which Google and McAfee were characterizing the attacks as sophisticated while Damballa labeled them amateurish and connected them to some common cybercrime activities. Well, it turns out that it was a confusing for a reason. (And is still confusing, check out Damballa’s reaction to “Aurora Lite“)

Some of the domain names included as part of Aurora turned out to be not part of Aurora. McAfee explains:

While originally some of these domains and files had been reported to be associated with Operation Aurora, we have since come to believe that this malware is unrelated to Aurora and uses a different set of Command & Control servers.

Turns out that these domain names (google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org voanews.ath.cx ymail.ath.cx), once included as part of Aurora – an attack traced to China — were now traced Vietnam. It looks the domains were erroneously included as part of Aurora because they were discovered during the Aurora investigation:

We suspect the effort to create the botnet started in late 2009, coinciding by chance with the Operation Aurora attacks. While McAfee Labs identified the malware during our investigation into Operation Aurora, we believe the attacks are not related.

Neel Mehta of Google noted that there may be a political dimension to the attacks:

The malware infected the computers of potentially tens of thousands of users who downloaded Vietnamese keyboard language software and possibly other legitimate software that was altered to infect users. While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes. These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent. Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.

In terms of the attack vector, McAfee’s Kurtz stated:

We believe the attackers first compromised www.vps.org, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse. The attackers then sent an e-mail to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead.

To Summarize, from Google and McAfee, we have:

  • Command and control servers are google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org voanews.ath.cx ymail.ath.cx
  • The botnet started in late 2009, coinciding with the Aurora attacks, which would make the date mid-December
  • There were targeted attacks that encouraged the download of malicious software from www.vps.org which had already been compromise and was hosting the malware
  • The malware, W32/VulcanBot, was disguised as a Vietnamese keyboard driver
  • This botnet DDoSed sites that opposed a bauxite mine in Vietnam

The website that may have been DDoS’d in connection with the bauxite mine may have been bauxitevietnam.info.

The AP’s Ben Stocking reports that:

Last fall, the government detained several bloggers who criticized the bauxite mine, and in December, a Web site called bauxitevietnam.info, which had drawn millions of visitors opposed to the mine, was hacked.

Stocking also reported:

Vietnam has hired a Chinese company to build the plant to process bauxite taken from the mines and hundreds of Chinese are reportedly working there.

Vietnam has some of the world’s largest reserves of bauxite, the primary ingredient in aluminum. The government has argued that the mine would bring economic benefits to the impoverished Central Highlands.

Opponents say the project would cause major environmental problems and have raised the specter of Chinese workers flooding into the strategically sensitive region.

OK, so maybe there is a China connection. Or maybe not.

McAfee points out that:

The command and control servers were predominantly being accessed from IP addresses in Vietnam.

Ok, back to the Aurora mess. Damballa found a sample on 2009-08-19 which they classified as Fake AV / Scareware masquerading as Microsoft Antispyware Services. This malware used several of the same command and control servers as noted by McAfee (google.homeunix.com
voanews.ath.cx ymail.ath.cx) along with more yahoo.blogdns.net, ec2-79-125-21-42.eu-west-1.compute.amazonaws.com, and ip-173-201-21-161.ip.secureserver.net inekoncuba.inekon.co.cu.

8 April 2009 – bb2aa6bf91388242dcff552eb476c545
16 April 2009 – 4488dea2071f0818d3b6269a061c2df6
3 December 2009 – 69baf3c6d3a8d41b789526ba72c79c2d
20 January 2010 – 7ee6628b8caeef57607e5426261b8c0c

McAfee has the date for W32/Vulcanbot as 01/23/2010 nine months after a sample was submitted to a ThreatExpert with common command and control servers. Is this really a new botnet? What are the apparently politically motivated attacks doing with rogue AV and typical crimeware junk? Without detailed information about the Vietnamese case its very difficult to make an accurate assessment.

3 comments.

  1. Do such breaches of security consitiute industrial sabotage, and if a criminal act, then who stands to benefit from the crime? That is the “probable cause” question to ask. Is bauxite mining really the issue, or is the actual cybertarget the critical reputation of Google for comfortable internet security? Damage that reputation, and you badly damage Google.

  2. […] http://www.nartv.org/2010/04/05/vietnam-aurora/ […]

  3. […] http://www.nartv.org/2010/04/05/vietnam-aurora/ […]

Post a comment.