VietNamNet Bridge – Nguyen Minh Duc from BKAV has stated that BKAV has found the origin of the command-and-control (CC) servers which conducted the DDoS attacks to online newspapers in early July.
Prior to that, the local press quoted the Director of an Internet security firm as saying that the firm, after analyzing the attack, found out that the attack was originated from an IP in Vietnam.
Meanwhile, BKAV has said of the three CC servers, one has the IP in Germany.
Duc said the malware turning the victim computers into “zombies” was located in Common Files folder of Windows operation system, and it created a fake service – Bluetooth Service – to run when the computers started up.
BKAV, after analyzing the malware, discovered that at that moments, the malware received the orders to attack the domain names vietnamnet.vn, m.vietnamnet.vn, batdongsan.vietnamnet.vn, m.batdongsan.vietnamnet.vn of VietNamNet newspaper, dantri.vn, s.dantri.com.vn, m.dantri.com.vn, dantri.com, dantri.com.vn of Dan Tri newspaper, tuoitre.vn, sevice.tuoitre.vn, wa2.tuoitre.vn, m.tuoitre.vn, wa3.tuoitre.vn, wa4.tuoitre.vn of Tuoi tre newspaper. The attacks then paralyzed the newspapers’ servers, thus making it impossible for users to access the websites.
“BKAV has updated the virus sample into BKAV’s anti-virus software since July 10. It has also informed to relevant units to deal with the servers,” Duc said.
Meanwhile, Nguyen Hong Phuc, a member of HVAOnline on July 16 said the botnet that hacked the newspapers has been temporarily neutralized.
“This shows the great efforts of HVAOnline and the netizen community in helping Vietnamese online newspapers fight against the big attacks from hackers under the DDoS mode,” Phuc said.
He went on to say that with the active support of the netizen community, HVAOnline has discovered the virus, analyzed the virus sample to track down the servers that commanded the attacks to online newspapers lately.
“HVAOnline has found out some servers that gave the orders to attack located at Lease Web GmbH Company in Germany,” Phuc said.
HVAOnline has informed to the service providers about the existence of the servers that control the botnet in Vietnam. The servers have been neutralized since the morning of July 16.
According to Phuc, users can check if their computers are serving as zombie by using a tool at www.antibotnet.tk.
If users can read the warnings on the screens, while the computers access Internet very slowly and they have not re-started modems over the last 10 days, it is very likely that the computers have been infected with the “sinh tu lenh” virus.
If so, users should contact email@example.com for support.
Thang Cu Anh, a member of HVA, has advised computer users to download a tool which can help eliminate the malware at http://www.mediafire.com/download/pg4hs72x1ifs7z3.
Users just need to download the tool to their computers, copy into USBs, insert the USBs into computers and run killstlbot.cmd file with admin rights. The users need to have it run several times and then press Ctrl-C.
Since July 4, Thanh Nien, Tuoi tre, Dan Tri, VietNamNet, Kenh 14 have been the victims of the DDoS attacks, noting that the number of hacked online newspapers is on the rise.
It is estimated that each of the newspapers incur the DDoS attack capacity of 50-70 Mbps, while the capacity was up to 1.3 Gbps for some newspapers.
The attacks have been described as “bigger than ever.”