Dorkbot Botnet Disrupted


The above image is a heat map representing Dorkbot machine detection for the past three months globally. (source: MMPC)

 

Global Operation Takes Down Dorkbot

This post summarizes the significant cross-organizational efforts required to disrupt just one family of malware out there.

What is Dorkbot?

Win32/Dorkbot is an Internet Relay Chat (IRC) botnet. The worm has been stealing credentials and installing malware to take over systems since 2011 through popular services such as instant messaging platforms, Facebook, Skype, and Twitter as well as travel via removable devices and through spam. It’s been using the same old tricks and thousands of versions of it have been developed over the years. It has remained, as a result, on ESET’s Top 10 list on the Global Threat Radar. It is enhanced by its ability to act as a “dropper” for other threats, which means it is an executable file that actually contains a whole host of other files compressed inside it.

Why should I care?

This malware has infected an average of 100,000 machines per month worldwide, and that is just a report of known infections. According to recent Interpol reports, the Dorkbot botnet is commonly used for the following primary illegal activities:

  • Stealing account credentials for online payment and other websites;
  • Distributed denial of service attacks;
  • Providing a mechanism through which other types of dangerous malware can be downloaded to and installed onto the victim’s computer.

 

Team Take-Down

US-CERT/DHS (Department of Homeland Security’s United States Computer Emergency Readiness Team), FBI, IDCC (Interpol) and Europol, among other agencies, have joined forces with ESET, CERT.PL (Computer Emergency Response Team Polska) and MMPC (Microsoft Malware Protection Center) to complete thorough analysis of the threat through a sinkhole operation and subsequently disrupt the botnet.

Preventing Dorkbot and other malware

Malware can easily be prevented or, if present, removed with appropriate anti-virus tools in place that are scanning users’ machines regularly. We cannot stress enough the ongoing importance of scanning and screening security of sites and links, at the absolute least, to protect yourself and your organization.
Patch your systems with appropriate updates.
Be cautious about allowing rights to sites or administrative actions on your machine.

Get in touch with us to learn more about what we can do to protect your team and your business assets.


 

References

https://www.us-cert.gov/ncas/alerts/TA15-337A

http://www.cert.pl/news/10926/langswitch_lang/en

Posted in