Vietnamese the Latest Target in a Politically Motivated Attack

On Monday, March 29, 2010, bkis.com published a blog describing malware that masqueraded as the Adobe Reader update program. This tactic is an attempt to run a malicious payload while avoiding detection. As we looked into this sample (detected as Trojan.Dosvine) in more detail, it became clear that this threat is involved in a DDoS (Distributed Denial of Service) attack on the Vietnamese online community. In a related article, Google reported that “compromised keyboard language software and possibly other legitimate software” is being used to infect Vietnamese Windows computers.

Initial reports on this attack have compared this to the Trojan.Hydraq/Aurora incident from earlier this year. For those not familiar with the Hydraq incident, everything you need to know can be found in our blog series on the subject. The comparison is not entirely accurate since the motive behind the Hydraq incident was industrial espionage. In contrast, the motive behind Trojan.Dosvine is to prevent access to strategic Vietnamese websites.

A better comparison to this threat is Trojan.Dozer. This threat attempted to perform a DDoS attack against a number of strategic sites in Korea, for example:

    * www.president.go.kr
    * www.mnd.go.kr
    * www.mofat.go.kr
    * www.assembly.go.kr

Dozer first surfaced on the July 8, 2009. Trojan.Dozer attacked strategic Korean sites. This time the targets are Vietnamese websites. (continue reading...)