December 4, 2015 at 10:06Law enforcement dismantled the Dorkbot botnet
ESET has assisted Microsoft, the Polish CERT, and law enforcement agencies around the world in eliminating the Dorkbot botnet through a sinkhole mechanism for the bot’s C&C servers. We want to publish a technical overview of this malware, some statistics on infections, and information about C & C servers.
To provide the necessary assistance in the elimination of this botnet, we used a great deal of experience in tracking this threat and protecting users from it. Comprehensive information about this threat was presented back in 2012 by ESET researcher Pablo Ramos at the Virus Bulletin conference.
Attackers have managed to infect many users in more than 200 countries using Dorkbot. The malware is detected by ESET's antivirus products as Win32 / Dorkbot, and social networks, spam mailings, exploit kits, as well as distribution mechanisms via removable media were used to spread it. When installed on a PC, Dorkbot disrupts the installed anti-virus products, blocking their access to receive updates. The bot uses the IRC protocol to receive instructions from intruders.
In addition to performing functions familiar to Trojans, such as stealing passwords from popular Facebook and Twitter services, Dorkbot specializes in installing one or several other malicious programs in a compromised system. We recorded the installation by the bot of such malicious programs as Win32 / Kasidet (Neutrino bot), as well as Win32 / Lethic . The first is used by cybercriminals to conduct DDoS attacks, and the second is a spam bot.
Dorkbot is still very common in many countries around the world. Every week, we observe thousands of infections by users of this malware and fresh bot samples arrive at our antivirus lab daily. Unsurprisingly, Dorkbot became the target of law enforcement. To check your system for Dorkbot infection and its subsequent removal, use our free Dorkbot Cleaner tool .
Fig. Distribution geography Dorkbot.
The diagram below shows the various components that are used in the latest versions of Dorkbot, we were able to analyze them.
Consider a typical malware infection process through a removable USB drive, which will help better illustrate the role of each module. Since Dorkbot searches for removable media connected to the infected system for subsequent compromise, many of our detections of samples of this malicious program worked on removable media. At the same time, two types of Dorkbot files were discovered on them: the dropper executable file and .LNK files with phishing names that point to the dropper file.
When a user starts Dorkbot dropper from a USB drive (detected by ESET AV products as Win32 / Dorkbot.I), it tries to download the main component of the malicious program from the remote server. The address of the server itself is hardcoded in the dropper executable. The downloaded file is very packed, and its code extracts from itself and executes the Win32 / Dorkbot.L executable file, which is a simple wrapper used to install the main component. This main component is detected by us as Win32 / Dorkbot.B and is responsible for working with the remote server via IRC. The wrapper also specializes in hooking the DnsQuery API function .at the main component. This method is used by Dorkbot to complicate the detection of domains of real C&C servers by antivirus analysts, since in this case the launched component does not have the addresses of real C&C servers of attackers When he tries to translate domains through DnsQuery , the function call will be intercepted and, as one of the arguments, the wrapper will pass the address of the real C&C server to the API function.
After the installation of the malicious program is completed, the bot will try to connect to the IRC server and will wait for the receipt of certain commands on the fixed channel from the attackers. As a rule, the bot receives commands to download and execute new malicious programs in the system, which were mentioned above.
The Dorkbot-based botnet has been active for a long time and attackers have successfully used it to this day. The infrastructure of the managing C & C-servers of this botnet is one of those whose activities are monitored by ESET specialists. Such information is very important for tracking changes in the behavior of a malicious program, as well as for collecting information about it, for the purpose of its use by law enforcement agencies.
The Dorkbot malware does not use any new methods to compromise new systems. Users should be careful when opening files on removable media, as well as those files that they receive through e-mail and social networks. To check your system for Dorkbot infection, you can use our free tool from here. To date, ESET antivirus products have thousands of different modifications of Dorkbot files, as well as malware files that are distributed by this botnet.
The following are examples of URLs or their components that Dorkbot's Password Thief component targets.
* paypal. *
* google. *
* aol. *
* screenname.aol. *
* bigstring. *
* fastmail. *
* gmx. *
* login.live. *
* login.yahoo. *
* facebook. *
* hackforums. *
* steampowered *
* no-ip *
* dyndns *
* runescape *
* .moneybookers. *
* twitter.com / sessions *
* secure.logmein. *
* officebanking.cl / *
* signin.ebay *
* depositfiles. *
* megaupload. *
* sendspace.com / login *
* mediafire.com / *
* freakshare.com / login *
* netload.in / index *
* 4shared.com / login *
* hotfile.com / login *
* fileserv.com/login*
* uploading.com / *
* uploaded.to / *
* filesonic.com / *
* oron.com / login *
* what.cd / login *
* letitbit.net *
* sms4file.com / *
* vip-file.com/*
* torrentleech.org / *
* thepiratebay.org / login *
* netflix.com / *
* alertpay.com / login *
* godaddy.com / login *
* namecheap.com / *
* moniker.com / *
* 1and1.com / xml / config *
* enom.com / login *
* dotster.com / *
* webnames.ru / *
*: 2082 / login * (possibly targeting cpanel)
*: 2083 / login * (possibly targeting cpanel)
*: 2086 / login * (possibly targeting GNUnet)
* whcms *
*: 2222 / CMD_LOGIN * (possibly targeting DirectAdmin)
* bcointernacional *
* members.brazzers.com *
* youporn. *
* members *
To provide the necessary assistance in the elimination of this botnet, we used a great deal of experience in tracking this threat and protecting users from it. Comprehensive information about this threat was presented back in 2012 by ESET researcher Pablo Ramos at the Virus Bulletin conference.
Attackers have managed to infect many users in more than 200 countries using Dorkbot. The malware is detected by ESET's antivirus products as Win32 / Dorkbot, and social networks, spam mailings, exploit kits, as well as distribution mechanisms via removable media were used to spread it. When installed on a PC, Dorkbot disrupts the installed anti-virus products, blocking their access to receive updates. The bot uses the IRC protocol to receive instructions from intruders.
In addition to performing functions familiar to Trojans, such as stealing passwords from popular Facebook and Twitter services, Dorkbot specializes in installing one or several other malicious programs in a compromised system. We recorded the installation by the bot of such malicious programs as Win32 / Kasidet (Neutrino bot), as well as Win32 / Lethic . The first is used by cybercriminals to conduct DDoS attacks, and the second is a spam bot.
Dorkbot is still very common in many countries around the world. Every week, we observe thousands of infections by users of this malware and fresh bot samples arrive at our antivirus lab daily. Unsurprisingly, Dorkbot became the target of law enforcement. To check your system for Dorkbot infection and its subsequent removal, use our free Dorkbot Cleaner tool .
Fig. Distribution geography Dorkbot.
The diagram below shows the various components that are used in the latest versions of Dorkbot, we were able to analyze them.
Consider a typical malware infection process through a removable USB drive, which will help better illustrate the role of each module. Since Dorkbot searches for removable media connected to the infected system for subsequent compromise, many of our detections of samples of this malicious program worked on removable media. At the same time, two types of Dorkbot files were discovered on them: the dropper executable file and .LNK files with phishing names that point to the dropper file.
When a user starts Dorkbot dropper from a USB drive (detected by ESET AV products as Win32 / Dorkbot.I), it tries to download the main component of the malicious program from the remote server. The address of the server itself is hardcoded in the dropper executable. The downloaded file is very packed, and its code extracts from itself and executes the Win32 / Dorkbot.L executable file, which is a simple wrapper used to install the main component. This main component is detected by us as Win32 / Dorkbot.B and is responsible for working with the remote server via IRC. The wrapper also specializes in hooking the DnsQuery API function .at the main component. This method is used by Dorkbot to complicate the detection of domains of real C&C servers by antivirus analysts, since in this case the launched component does not have the addresses of real C&C servers of attackers When he tries to translate domains through DnsQuery , the function call will be intercepted and, as one of the arguments, the wrapper will pass the address of the real C&C server to the API function.
After the installation of the malicious program is completed, the bot will try to connect to the IRC server and will wait for the receipt of certain commands on the fixed channel from the attackers. As a rule, the bot receives commands to download and execute new malicious programs in the system, which were mentioned above.
The Dorkbot-based botnet has been active for a long time and attackers have successfully used it to this day. The infrastructure of the managing C & C-servers of this botnet is one of those whose activities are monitored by ESET specialists. Such information is very important for tracking changes in the behavior of a malicious program, as well as for collecting information about it, for the purpose of its use by law enforcement agencies.
The Dorkbot malware does not use any new methods to compromise new systems. Users should be careful when opening files on removable media, as well as those files that they receive through e-mail and social networks. To check your system for Dorkbot infection, you can use our free tool from here. To date, ESET antivirus products have thousands of different modifications of Dorkbot files, as well as malware files that are distributed by this botnet.
The following are examples of URLs or their components that Dorkbot's Password Thief component targets.
* paypal. *
* google. *
* aol. *
* screenname.aol. *
* bigstring. *
* fastmail. *
* gmx. *
* login.live. *
* login.yahoo. *
* facebook. *
* hackforums. *
* steampowered *
* no-ip *
* dyndns *
* runescape *
* .moneybookers. *
* twitter.com / sessions *
* secure.logmein. *
* officebanking.cl / *
* signin.ebay *
* depositfiles. *
* megaupload. *
* sendspace.com / login *
* mediafire.com / *
* freakshare.com / login *
* netload.in / index *
* 4shared.com / login *
* hotfile.com / login *
* fileserv.com/login*
* uploading.com / *
* uploaded.to / *
* filesonic.com / *
* oron.com / login *
* what.cd / login *
* letitbit.net *
* sms4file.com / *
* vip-file.com/*
* torrentleech.org / *
* thepiratebay.org / login *
* netflix.com / *
* alertpay.com / login *
* godaddy.com / login *
* namecheap.com / *
* moniker.com / *
* 1and1.com / xml / config *
* enom.com / login *
* dotster.com / *
* webnames.ru / *
*: 2082 / login * (possibly targeting cpanel)
*: 2083 / login * (possibly targeting cpanel)
*: 2086 / login * (possibly targeting GNUnet)
* whcms *
*: 2222 / CMD_LOGIN * (possibly targeting DirectAdmin)
* bcointernacional *
* members.brazzers.com *
* youporn. *
* members *