The attack, identified by companies including McAfee, Google, and Symantec, centers around a malware strain that Symantec is calling Trojan.Dosvine. The malware is being used to infect Vietnamese Windows computers, according to researchers.
"These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent," said Google's Neel Mehta in a blog post. "Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country."
The malware infects the computers of users who download Vietnamese keyboard language software, effectively restricting itself to Vietnamese speakers.
"The keyboard driver known as VPSKeys is popular with Vietnamese Windows users and is needed to be able to insert accents at the appropriate locations when using Windows," explained McAfee's George Kurtz. He said that the effort to create the botnet of Vietnamese machines began last year.
"We believe the attackers first compromised www.vps.org, the Web site of the Vietnamese Professionals Society (VPS), and replaced the legitimate keyboard driver with a Trojan horse," Kurtz continued. "The attackers then sent an email to targeted individuals which pointed them back to the VPS Web site, where they downloaded the Trojan instead."
Symantec researchers explained that the program first updates itself once installed, and then downloads a malware dropper that installs malicious files.