- Date: October 28, 2010
- Author: SecureWorks' Counter Threat UnitSM
SecureWorks' Counter Threat UnitSM (CTU) security research team has discovered a new DDoS (Distributed Denial of Service) Trojan horse malware family involved in denial-of-service attacks against Vietnamese blogs. Currently no unique name exists for this trojan in anti-virus detections, therefore SecureWorks has dubbed this trojan "Vecebot".
Size: 462,336 bytes
Compiled: Wed Oct 13 04:30:26 2010 UTC
When executed, the trojan installs drops the following files in the
%ProgramFiles%\Common Files\Windows Update Components folder:
MD5: 0e03de130b68f3ba32e1f1f7f1177762 UsrClass.ini
Size: 116 bytes
MD5: 88fdb07154dd1203aef372273c38c986 wuauclt.exe
MD5: cdd57af8ba2b6c9de87e9dc894e6908a wuauserv.dll
The trojan installs a system service with the following parameters:
Service Name: wuauservcom
Display Name: Windows Update Components
Service Description: Enables the detection, download, and installation of updates for Windows and other programs. If this service is disabled, users of this computer will not be able to use Windows Update or its automatic updating feature, and programs will not be able to use the Windows Update Agent (WUA) API.
Image Path: "%Program Files%\Common Files\Windows Update Components\wuauclt.exe" -delay
The installed service entry loads wuauclt.exe, a minimal driver stub that loads wuauserv.dll, which contains the core functional code of the trojan. When activated, the trojan DLL will load its initial configuration from the UsrClass.ini file in the same directory. This file is XOR-encrypted, and when decrypted, reads:
javabin.dyndns.org/Windows/dat7.html javasecurity.dyndns.info/Windows/dat7.html dream.jz9u.com/Windows/dat7.html
These URIs are locations for the trojan's remote configuration file, which contains instructions for launching denial-of-service attacks. The remote configuration file is base32-encoded, and then base64-encoded to obfuscate its contents. When decoded, the file contains parameters embedded in XML markup, which are parsed by the trojan and stored in memory.
The XML file starts with a "<number>" tag, which defines the configuration file ID. There are then a number of "<hostinfo>" tags that define parameters for the attack. These parameters are:
<AttackingThreadsServer> <AttackingThreadsPC> <Timeout> <host> <port> <ProcessPage> <Accept> <Accept-Language> <Accept-Encoding> <Referer> <Cookie> <Pragma> <Accept-Charset> <Keep-Alive> <ua-cpu> <Authorization> <Connection> <DelayTime> <RequestMethod> <ExcludedCountry> <CompletedRequest> <CookieParameter> <AuthorizationPage> <StartText> <EndText> <Map> <NumParameter>
Many of the XML parameters are directly used to populate the HTTP headers for the attack request. In this way, the attack can be easily customized to blend in better with legitimate browser requests, making it more difficult for the attacked site to know which requests are from attackers and which are from legitimate visitors.
The trojan also contains code for rudimentary CAPTCHA-breaking, a response to one of the victim sites that uses a CAPTCHA-based authentication system to differentiate between human users and bots. Although trojan bots have used CAPTCHA-breaking systems almost since the inception of CAPTCHA systems, ordinarily they use a back-end server to perform the CAPTCHA-breaking operations and cache the solved CAPTCHA puzzles, instead of including the CAPTCHA-breaking code in the bot itself. This design choice is likely due to the complexity of image processing code, which would lead to a substantial increase in the size of the trojan binary, especially for a robust system. However, Vecebot's CAPTCHA-breaking code is rudimentary, and not terribly effective at bypassing the CAPTCHA system it was introduced to defeat. Despite this, causing numerous CAPTCHA challenges probably induces a significant load on the attacked server.
Vecebot also periodically sends statistics about the attack to a secondary set of servers hard-coded in the body of the trojan. Currently these servers are:
googleinstant.dyndns.tv googleupdate.dyndns-work.com gone.gigamonkeys.net
Attack data from one of the victims shows the botnet created by Vecebot to be somewhere between 10,000 and 20,000 infected hosts. The distribution by country shows the significant portion of the botnet is comprised of computers within Vietnam:
The current list of target URLs in the remote configuration file is:
These sites are all blogs or forums that contain content critical of the Vietnamese Communist Party or recent developments concerning bauxite mining operations being carried out in the country by China. Earlier this year, there were similar attacks against some of these same targets by another bot known as "Vulcanbot". At the time, Vulcanbot was believed to be part of the Aurora attacks against Google and other companies, but this turned out to be coincidence. Vulcanbot is not related in any way to the Aurora codebase. An excellent synopsis of the information pertaining to Aurora and Vulcanbot can be found at:
Vecebot may be a continuation of the Vulcanbot attacks ,and it is possible that the same group has deployed this new trojan to continue those attacks. Although speculation has so far been that the Vulcanbot attacks were orchestrated by the Vietnamese government or the Vietnamese Communist Party, there has been no solid evidence presented that connects anyone in the government or political establishment to the attacks.
There is however some evidence that the attacks may have been perpetrated by a pro-communist hacking group. One of the targets of both the Vulcanbot and Vecebot attacks is x-cafevn.org. In addition to the DDoS attacks, there have been intrusions into the server that hosts x-cafevn.org and the computer of the administrator. The forum's user database and administrator's personal details (including personal emails) were posted to a website by the pro-communist hacking group where the hackers claimed responsibility for the hacks, as well as their reasoning and a message directed to what they consider to be "reactionary" sites.
The message from the hackers (as translated from Vietnamese by Google Translate) is below:
WHO ARE WE?
The hackers also left an email address to receive comments about the hack: email@example.com.
It is a likely possibility that the current DDoS attacks and the earlier intrusions are activity from the same group. One link that supports this theory is the naming of some of the domains and hostnames used in the hacking attacks and the DDoS attacks. The administrator of x-cafevn.org identified the following hosts involved with the intrusion attempts (according to the emails stolen from his computer and published by the hackers):
These names are similar to two of the Vecebot controller hostnames:
Additionally, there is some overlap in the domain name servers used by the third Vecebot controller domain, "jz9u.com" and the hackers' site "x-cafevn-db.info".
A further clue: despite the fact that Vecebot's code is a native Windows library, it contains a great deal of calls to Unix-based POSIX functions rather than the standard Windows API. For instance, calls to download the configuration files via HTTP are initiated using low-level socket/connect/send/recv calls rather than the quicker and easier WinINET API that most Windows programmers use. This choice may indicate that the programmer of Vecebot is more familiar or more comfortable with programming on Unix-derived operating systems. The screenshots of the x-cafevn.org site taken by the hacker and posted to the x-cafevn-db.info site were created on a Unix-derivative system such as Linux or FreeBSD.
None of this evidence is conclusive, just as it cannot be determined if the hackers responsible are operating independently or at the behest of the Vietnamese government or the Vietnamese Communist Party. Logic suggests that the government could more easily censor the blogs simply by blocking access to them at the border routers of the network connections coming into the country, rather than needing to create a DDoS botnet. However, it could be that the purpose of the botnet is to stifle the publication of this information to expatriates and other groups outside the country's borders.
The timing of these newest attacks is also interesting. On October, 19, 2010, a Vietnamese blogger who wrote pseudonymously under the name Dieu Cay was due to end a 30-month prison sentence for tax evasion, which most critics of the Vietnamese government believed to be a thinly-veiled retribution for his outspoken political blogging. A movement to declare October 19, 2010 as "Vietnam Blogger Day" was even initiated by his supporters. However, the Vietnamese authorities have not released him according to schedule, and are reportedly holding him under new charges of "propaganda against the state".
It is plausible that Vecebot was purposely deployed in advance of the October 19 date, as a means to stifle anticipated backlash from the further detainment of Dieu Cay. If that is the case, it would indicate some sort of collusion between the author of the trojan and the political establishment, since the botnet was in place a week before the Dieu Cay's scheduled release. This speculation cannot be proven through malware analysis alone, and could be purely coincidental. Whatever the circumstances surrounding the creation of Vecebot, it is clear that the purpose of the botnet is to silence critics of the Vietnamese political establishment where their voices might reach beyond the borders of Vietnam.