Tech Firms Join Police to Take Down Dorkbot Botnet

A coalition of technology firms and law enforcers has set about dismantling the notorious Dorkbot botnet, responsible for infecting countless PC in more than 190 countries worldwide.

Eset malware researcher, Jean-Ian Boutin, explained in a blog post that his firm worked with police, Microsoft and CERT.PL to sinkhole the bot’s C&C servers.

“Win32/Dorkbot is distributed via various channels such as social networks, spam, removable media and exploit kits. Once installed on the machine, it will try to disrupt the normal operation of security software by blocking access to their update servers and will then connect to an IRC server to receive further commands,” he said.

“Besides being a password stealer, targeting popular services such as Facebook and Twitter, Dorkbot typically installs code from one of several other malware families soon after it gains control of a given system.”

These other malware families include Win32/Kasidet – also known as the Neutrino bot and used to launch DDoS attacks – and Win32/Lethic, a popular spambot.

Eset has been tracking Dorkbot for several years, having released a VirusBulletin paper on the bot back in 2012, and is still seeing “thousands” of detections every week from “most parts of the world.”

In July 2011, it broke into Eset’s top ten malware chart with a market share of 1.47%, with the security vendor claiming it was particularly prevalent in Latin America and the Caribbean.

Three years ago it was spotted by Sophos spreading via Facebook, Twitter and even Skype, and stealing user credentials for a wide variety of sites including PayPal, Netflix and many more.

“Dorkbot uses old tricks to compromise new systems,” Boutin warned. “Users should be cautious when opening files on removable media, as well as files they receive through email or social media.”   

Eset has also released a free tool designed to clean infected systems of Dorkbot, available here.

What’s Hot on Infosecurity Magazine?