The DDoS botnet created by the new trojan, dubbed the Vecebot Trojan by SecureWorks, has infected between 10,000 and 20,000 computers, most of them located in Vietnam.
Sites that have been attacked contain comments critical of the Vietnamese Communist Party or recent developments concerning bauxite mining operations in Vietnam being carried out by China, according to SecureWorks’ Counter Threat Unit.
Stewart told Infosecurity that there is no evidence that the Vietnamese government is behind the DDoS Vecebot trojan. He said that it is likely a private hacker group responsible for attacks against the same websites earlier this year is responsible for the Vecebot attacks, although the group has denied this. “We don’t have any real evidence that they are behind it, but there are some interesting linkages about the choices of domain names and hosting choices they have made….But we really don’t have any firm evidence about who is behind it”, he said.
Stewart said that politically motivated DDoS are becoming more popular around the world.
“We have had a history of this kind of activity in Eastern Europe for awhile now....There are constant attacks against news sites and journalists using denial of service tools in that region....But until recently we haven’t seen those types of attacks in other parts of the world. We have not just this thing happening in Vietnam, but we saw recently there was an attack against some Brazilian political parties in the past week that coincided with their elections. There are attacks going on in Burma. So it’s seems to be a growing trend to use denial of service attacks to silence other viewpoints.”
In a post on SecureWorks' website, the Counter Threat Unit said that the Vecebot trojan could be tied to the scheduled release from prison of a Vietnamese blogger who uses the name Dieu Cay. The blogger was imprisoned for tax evasion, but most critics of the Vietnamese government suspect the imprisonment was retribution for his anti-government blogging. There was an online movement to declare Oct. 19, the date of his release, as “Vietnam Blogger Day”. Instead, the Vietnamese government delayed Dieu Cay's release and are reportedly holding him under new propaganda charges.
“It is plausible that Vecebot was purposely deployed in advance of the Oct. 19 date, as a means to stifle anticipated backlash from the further detainment of Dieu Cay. If that is the case, it would indicate some sort of collusion between the author of the trojan and the political establishment, since the botnet was in place a week before Dieu Cay's scheduled release. This speculation cannot be proven through malware analysis alone, and could be purely coincidental. Whatever the circumstances surrounding the creation of Vecebot, it is clear that the purpose of the botnet is to silence critics of the Vietnamese political establishment where their voices might reach beyond the borders of Vietnam,” the unit wrote.