[UPDATE: See "Vecebot Trojan Analysis" by SecureWorks.]
A while back I wrote a post about “Aurora Mess” in which I tried, unsuccessfully, to make sense of the different assessments of the attacks on Google and at least 20 other companies within the security community. I was trying to grapple with the way in which Google and McAfee were characterizing the attacks as sophisticated while Damballa labeled them amateurish and connected them to some common cybercrime activities. Well, it turns out that it was a confusing for a reason. (And is still confusing, check out Damballa’s reaction to “Aurora Lite“)
Some of the domain names included as part of Aurora turned out to be not part of Aurora. McAfee explains:
While originally some of these domains and files had been reported to be associated with Operation Aurora, we have since come to believe that this malware is unrelated to Aurora and uses a different set of Command & Control servers.
Turns out that these domain names (google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org voanews.ath.cx ymail.ath.cx), once included as part of Aurora – an attack traced to China — were now traced Vietnam. It looks the domains were erroneously included as part of Aurora because they were discovered during the Aurora investigation:
We suspect the effort to create the botnet started in late 2009, coinciding by chance with the Operation Aurora attacks. While McAfee Labs identified the malware during our investigation into Operation Aurora, we believe the attacks are not related.
Neel Mehta of Google noted that there may be a political dimension to the attacks:
The malware infected the computers of potentially tens of thousands of users who downloaded Vietnamese keyboard language software and possibly other legitimate software that was altered to infect users. While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes. These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent. Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.
In terms of the attack vector, McAfee’s Kurtz stated:
We believe the attackers first compromised www.vps.org, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse. The attackers then sent an e-mail to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead.
To Summarize, from Google and McAfee, we have:
- Command and control servers are google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org voanews.ath.cx ymail.ath.cx
- The botnet started in late 2009, coinciding with the Aurora attacks, which would make the date mid-December
- There were targeted attacks that encouraged the download of malicious software from www.vps.org which had already been compromise and was hosting the malware
- The malware, W32/VulcanBot, was disguised as a Vietnamese keyboard driver
- This botnet DDoSed sites that opposed a bauxite mine in Vietnam
The website that may have been DDoS’d in connection with the bauxite mine may have been bauxitevietnam.info.
The AP’s Ben Stocking reports that:
Last fall, the government detained several bloggers who criticized the bauxite mine, and in December, a Web site called bauxitevietnam.info, which had drawn millions of visitors opposed to the mine, was hacked.
Stocking also reported:
Vietnam has hired a Chinese company to build the plant to process bauxite taken from the mines and hundreds of Chinese are reportedly working there.
Vietnam has some of the world’s largest reserves of bauxite, the primary ingredient in aluminum. The government has argued that the mine would bring economic benefits to the impoverished Central Highlands.
Opponents say the project would cause major environmental problems and have raised the specter of Chinese workers flooding into the strategically sensitive region.
OK, so maybe there is a China connection. Or maybe not.
McAfee points out that:
The command and control servers were predominantly being accessed from IP addresses in Vietnam.
Ok, back to the Aurora mess. Damballa found a sample on 2009-08-19 which they classified as Fake AV / Scareware masquerading as Microsoft Antispyware Services. This malware used several of the same command and control servers as noted by McAfee (google.homeunix.com
voanews.ath.cx ymail.ath.cx) along with more yahoo.blogdns.net, ec2-79-125-21-42.eu-west-1.compute.amazonaws.com, and ip-173-201-21-161.ip.secureserver.net inekoncuba.inekon.co.cu.
McAfee has the date for W32/Vulcanbot as 01/23/2010 nine months after a sample was submitted to a ThreatExpert with common command and control servers. Is this really a new botnet? What are the apparently politically motivated attacks doing with rogue AV and typical crimeware junk? Without detailed information about the Vietnamese case its very difficult to make an accurate assessment.