The chilling effects of malware

Tuesday, March 30, 2010 2:05 PM

In January, we discussed a set of highly sophisticated cyber attacks that originated in China and targeted many corporations around the world. We believe that malware is a general threat to the Internet, but it is especially harmful when it is used to suppress opinions of dissent. In that case, the attacks involved surveillance of email accounts belonging to Chinese human rights activists. Perhaps unsurprisingly, these are not the only examples of malicious software being used for political ends. We have gathered information about a separate cyber threat that was less sophisticated but that nonetheless was employed against another community.

This particular malware broadly targeted Vietnamese computer users around the world. The malware infected the computers of potentially tens of thousands of users who downloaded Vietnamese keyboard language software and possibly other legitimate software that was altered to infect users. While the malware itself was not especially sophisticated, it has nonetheless been used for damaging purposes. These infected machines have been used both to spy on their owners as well as participate in distributed denial of service (DDoS) attacks against blogs containing messages of political dissent. Specifically, these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.

Since some anti-virus vendors have already introduced signatures to help detect this specific malware, we recommend the following actions, particularly if you believe that you may have been exposed to the malware: run regular anti-virus as well as anti-spyware scans from trusted vendors, and be sure to install all web browser and operating system updates to ensure you’re using only the latest versions. New technology like our suspicious account activity alerts in Gmail should also help detect surveillance efforts. At a larger scale, we feel the international community needs to take cybersecurity seriously to help keep free opinion flowing.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.


Jonas said...

Nice Neel.

Darlene said...

In trying to access my g mail account I get the following message on a red screen:

This is probably not the site you are looking for!
You attempted to reach, but instead you actually reached a server identifying itself as This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of You should not proceed.

Help me understand
When you connect to a secure website, the server hosting that site presents your browser with something called a "certificate" to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your computer trusts. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended, and not a third party (such as an attacker on your network).

In this case, the address listed in the certificate does not match the address of the website your browser tried to go to. One possible reason for this is that your communications are being intercepted by an attacker who is presenting a certificate for a different website, which would cause a mismatch. Another possible reason is that the server is set up to return the same certificate for multiple websites, including the one you are attempting to visit, even though that certificate is not valid for all of those websites. Google Chrome can say for sure that you reached, but cannot verify that that is the same site as which you intended to reach. If you proceed, Chrome will not check for any further name mismatches. In general, it is best not to proceed past this point.

SiNA said...

This is cyberwar. Users must educate themselves more and more everyday. I think it's almost irresponsible to be running on Windows without keeping an updated anti-virus program!
It's like driving on the freeway without any breaks!

Tri said...

What is name of the Vietnamese keyboard language software you're mentioned?

Vinita & Sukumar said...

2 days back I received a very starnge and suspicious email of a very good friend of my mine with the same old story of being trapped in London, wanting money,excellent direction for sending money, amount etc. Initially tempted but better sense prevailed. I alert the friend about his gmail account being hijacked. Is ther anything more that we can do or be aware of to prevent happening to us

Kim-Son said...

Thank you, Google. On behalf of all pro-democracy Vietnamese activists, thank you for bringing awareness to this important issue. It's time for the world community to acknowledge that state-sponsored or -initiated cyber terrorism should be universally condemned.

Emmanuel said...

Neel, were Google services directly targeted here alike in the incident involving Chinese dissidents?

IronMal said...

Where is the sniffer trace file or any of the other hard forensic evidence showing the hack came from a Vietnam government source? You know in a developing country when an irresponsible and unsubstantiated claim like this is made it literally means more children will not get donor food and books. Great job Google, you just killed some Vietnamese children. If this is Google's attempt to foster democratic reform in Vietnam you just send it back 2 steps. Please think before you speak. "Don't be evil".

Orchideae said...

Hi all,
I do not know if you know where information from bauxite, but I would correct that the site has been attacked not by the government of Vietnam. The hackers have created a website that posted all the information 'how to hack, hack to why, and who hack'. Hackers feel that urgent because the borrowed name of the page 'environment, freedom, democracy, reclaim Hoang Sa and Truong Sa for Vietnam' against the State of Vietnam. All our readers have read all that information, and we understand Vietnamese than you. You must go check information before posting this show. We are burning in front of a notorious reactionary because they cause at home and abroad. We feel shame for a big company like Google, does not know how true that has to do honor to our country.

Maya said...

i changed my last name 4 years ago and have not used my old gmail address since then. but last night someone sent spam from that accound to my entire contact list. i'm not sure how they accessed my account because it has been inactive for so long. what should i do? how can i deactivate that account entirely?

Kim Giam said...

To IronMal,

Your post is amazingly similar to a post on the McAfee blog on same day, using same wordings and rhetorical tactics ("Where is the sniffer trace file or any of the other hard forensic evidence showing the hack came from a Vietnam government source? You know in a developing country when an irresponsible and unsubstantiated claim like this is made it literally means more children will not get donor food and books. Great job Google, you just killed some Vietnamese children" vs. "Where is your hard forensic evidence? Got a sniffer trace to show us? What you just did is to hurt donations to charity groups that help Vietnamese kids with food, medicine, education, housing. You probably just killed some Vietnamese kids"). Even the names are similar (IronMal vs. Mal), although the photos on your personal blog and McAfee blog look different.

If I work for the security teams of McAfee or Google, I would take an interest in your case and try to find out whether you have any connection to those cyber attacks you seem to be so desperate to deny by using the repulsive strawman argument.

As a self-proclaimed webmaster and web-designer, don't you think that you just drew unnecessary attention to yourself?

Loc said...


I probably didn't do a good job at capturing the slightly mocking tone, partly because I would probably be no different from them, attacking a strawman and all. Well, Dr Cù Huy Hà Vũ is the same guy who claimed he would become the next Minister of Culture & Information out of the blue and when refused, cried about the total lack of democracy. He also manages to cause 3 public scandals within a year all by himself. And I thought Jack Thompson was the most definitive proof that most lawyers are attention trolls. "Buddy buddy Hà Văn Thịnh" is getting a mild treatment here, google his name and you'll see him being called "Con chó ghẻ cắn càn" right on the first page (temp. translated "Rabid vermin", but you know insults can't be translated).

I mean, what is this ? It does not even attempt to be respectable. It's like saying because your view is subjective you don't have to make sense, when it's about as stupid as the guy above trying to prove Google kills babies and the government slaughters all the ponies. Add to that some juvenile wording, creationist-style cherry-picking, elaborating hypotheses instead of talking about facts, and tabloids that no one could give a hoot about, and you probably get the picture of most of the so-called activism going on in Vietnam. Seriously democracy is lost, Vietnamese people are being slaughtered or treated inhumanely (is this Iran or North Korea?) because someone in the government happens to be as rich as every singer/actor/celebrity in the world and buy a new expensive car that you could never pay for? And then they write letters complaining that despite working hard for all their life they could never earn as much money as him (read : as a singer) ?

Why do I rage so much ? To put it simply, they make ME look bad. They make EVERYONE who actually possesses common sense or simply stay awake during that one class about logical reasoning look bad. Whenever someone genuinely wants to discuss things, they're almost always sneered at by others and called by pejorative terms because the stigma is already so bad. Dumb "activists" writing about history as if it were sensationalist fiction (hey no history was objective so I could make things up too), dumb "activists" making hyperbolic claims whenever they see one (much like how every global warming denier jumps at that one report about the cooling in Antartica, and the same rules apply, stupid claims that are actually based on some facts, that ironically only serve to make them look like idiots). It's why we can't have nice things. Valid ideas that are worth considering get drowned out by the sea of the dumb, but incredibly emotionally motivated masses, much like creationist kids who grew up to only listen to what they want to hear.

Jack Thompson didn't get beat up and thrown into the river. Fox News isn't off the air yet. Idiocracy is a burden of the freedom of expression, but freedom needs to be protected nevertheless.

Loc said...

@IronMal : "Someone please think of the children" again? I'm not quite sure if that was supposed to be a tear-jerker, or a mild joke.

I'm usually an anonymous 4c*******, but this is one of those rare events where I at least have some first-hand experience, being a Vietnamese.

See, I'm a lazy guy and my main source of news is probably /. , so I followed the Google vs China story closely. My thoughts about this one? I wouldn't be too surprised if the government did it, they have blocked quite a few sites in the past (that I usually had no idea of). After being on Wikileaks and the internet for too long, this kind of stuff is probably normal, and there are always proxies, but I was more interested about the SITE in question.
If you want to hear my opinion as a tech person, jump to the last paragraph, read on only if you want to know a few things about Vietnamese activists. I hope this won't take long *uh oh*

It appears that I have visited the site before. It's not too different from the other ones I know. Frankly, I just put all the so-called "pro-democracy activists" into 2 camps : the creationists, and the ones with common sense. Obviously this has nothing to do with creationism, but the way these "activists" make their claims and arguments does not differ much. They call themselves "intellectuals", I call them dumb. I have enjoyed reading many perfectly sane posts and claims backed up with evidence that actually make sense before. This ain't one of 'em. It's about as fair and balanced as Fox News can get.
An example right on the front page (too lazy to list all of 'em) :

"Kể cũng rộn đấy chứ! Cách đây chưa lâu TS Cù Huy Hà Vũ phát đơn kiện Thủ tướng, nay bạn Hà Văn Thịnh lại xúi Thủ tướng đi kiện. Xem ra cả hai đều cùng một động cơ trong sáng như nhau: muốn rằng một vị Thủ tướng của Việt Nam không vướng vào một vết nhơ nào."
"Sure is exciting these days. Not too long ago Dr Cù Huy Hà Vũ filed a lawsuit against the prime minister, now buddy buddy Hà Văn Thịnh is pushing the prime minister to sue. Seems like they're both for an innocent reason: to prove that a prime minister of Vietnam can do no wrong."

A said...

"I think it's almost irresponsible to be running on Windows without keeping an updated anti-virus program!"

I am not Vietnamese. I have up-to-date antivirus program running on my computer. Yes, I have studied Vietnamese and that's why I was looking for Vietnamese input method... unfortunately the first one that I came across with was VPSKeys. That happened on 1st of December, 2009. However my professional up-to-date antivirus program removed last remnants of the Trojans 30 minutes ago... Most of them it did not detect until I MYSELF POSTED THEM A SAMPLE.

The reason why I did not notice anything before was that Windows is a piece of shit that needs TO DIE... It lags and crashes all the time so that when it started lagging and crashing a little more after 1st of December I thought it was ordinary, until this March.

Palm Springs Massage said...

ok. I've followed all the safe things I possible could while doing some medical research, floating into other countries but I sure contacted a baddie from an Indian site; good grief it was bad.. I (and MANY others) worked for 3 months and coudn't get this thing out it was so deep in there I finally had to wipe it out; the forums are SO OVERLOADED with this it's an absolute nightmare; I immediated moved over to Google Chrome >just because< there was so much written about the security aspect I dumped IE and hope I never have to ever use it again. I hope that Google stands out and shines above all the rest as giving us the outstanding security that we have all been waiting for (little did I know when I downloaded a site to my >favorites< file that there was nothing I could do after that. Besides mass mailing, the root kits (or whatever it was) ended up so tied into my entire pc and none of the programs, absolutely nothing worked. I hope & pray that Google keeps SECURITY as their top TOP priority and I want to say *thank you* Google for seeing the need out here; please stay on top of the bad guys.

Scam said...

Along with rogue anti-malware, fake anti-piracy utilities are now also being distributed to music lovers and other media users on the Internet, but especially in the music industry. Many Internet users download music and other media from the net, while some are packaged with these Trojans that issue warning messages to scare the public. They are advised to take their chances in court, or skip the heavy fines and possible jail time by opting for a ‘pre-trial settlement’. They are then directed via hacked websites to another malware site where computers are further infected and where financial ‘settlements’ are solicited, also providing banking details to criminals.

Comment posted in the Public’s Interest.

emyWINCHESTER said...

hi! i was using google chrome and the other day, when i clicked on the link to my website, there was a warning that said, 'Malware Detected' Bla bla bla.. and they asked me to go to webmaster tools from google to solve the problem. i didnt really know how to figure out the thing, so i just changed my browser to firefox. and when i clicked on my website, everything was just fine. no red warning or anything.

so i was wondering. why was the 'Malware Detected' sign only appeared when i used Chrome and not firefox?? was that just a stupid prank/disturbance sent by other parties or what?