Dorkbot Botnet Disrupted

December 9, 2015

The above image is a heat map representing Dorkbot machine detection for the past three months globally. (source: MMPC)

Global Operation Takes Down Dorkbot

This post summarizes the significant cross-organizational efforts required to disrupt just one family of malware out there.

What is Dorkbot?

Win32/Dorkbot is an Internet Relay Chat (IRC) botnet. The worm has been stealing credentials and installing malware to take over systems since 2011 through popular services such as instant messaging platforms, Facebook, Skype, and Twitter as well as travel via removable devices and through spam. It’s been using the same old tricks and thousands of versions of it have been developed over the years. It has remained, as a result, on ESET’s Top 10 list on the Global Threat Radar. It is enhanced by its ability to act as a “dropper” for other threats, which means it is an executable file that actually contains a whole host of other files compressed inside it.

Why should I care?

This malware has infected an average of 100,000 machines per month worldwide, and that is just a report of known infections. According to recent Interpol reports, the Dorkbot botnet is commonly used for the following primary illegal activities:

Stealing account credentials for online payment and other websites;
Distributed denial of service attacks;
Providing a mechanism through which other types of dangerous malware can be downloaded to and installed onto the victim’s computer.

Team Take-Down

US-CERT/DHS (Department of Homeland Security’s United States Computer Emergency Readiness Team), FBI, IDCC (Interpol) and Europol, among other agencies, have joined forces with ESET, CERT.PL (Computer Emergency Response Team Polska) and MMPC (Microsoft Malware Protection Center) to complete thorough analysis of the threat through a sinkhole operation and subsequently disrupt the botnet.

Preventing Dorkbot and other malware

Malware can easily be prevented or, if present, removed with appropriate anti-virus tools in place that are scanning users’ machines regularly. We cannot stress enough the ongoing importance of scanning and screening security of sites and links, at the absolute least, to protect yourself and your organization.
Patch your systems with appropriate updates.
Be cautious about allowing rights to sites or administrative actions on your machine.

Get in touch with us to learn more about what we can do to protect your team and your business assets.

References

https://www.us-cert.gov/ncas/alerts/TA15-337A

http://www.cert.pl/news/10926/langswitch_lang/en

Posted in Security

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.